<!DOCTYPE html>
<html lang="en-US">
<head>
	<!-- Google Optimize Anti-flicker -->
<style>.async-hide { opacity: 0 !important} </style> <script>(function(a,s,y,n,c,h,i,d,e){s.className+=' '+y;h.start=1*new Date; h.end=i=function(){s.className=s.className.replace(RegExp(' ?'+y),'')}; (a[n]=a[n]||[]).hide=h;setTimeout(function(){i();h.end=null},c);h.timeout=c; })(window,document.documentElement,'async-hide','dataLayer',4000, {'GTM-KC95766':true});</script>
<!-- Google Tag Manager -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-KC95766');</script>
<!-- End Google Tag Manager -->
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">

    <meta http-equiv="cache-control" content="max-age=0" />
    <meta http-equiv="cache-control" content="no-cache" />
    <meta http-equiv="expires" content="0" />
    <meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" />
    <meta http-equiv="pragma" content="no-cache" />
    <link rel="icon" type="image/png" href="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/fav.png" />
    <link rel="preload" href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet">
    <!-- Facebook Pixel Code --> <script> !function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n; n.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window, document,'script','https://connect.facebook.net/en_US/fbevents.js'); fbq('init', '128260767783916'); // Insert your pixel ID here. fbq('track', 'PageView'); </script>
    <noscript><img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=128260767783916&ev=PageView&noscript=1" /></noscript> 
    <!-- DO NOT MODIFY --> <!-- End Facebook Pixel Code -->
	<meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />

	<!-- This site is optimized with the Yoast SEO plugin v17.6 - https://yoast.com/wordpress/plugins/seo/ -->
	<title>EvilGnome: Rare Malware Spying on Desktop Users - Intezer</title>
	<meta name="description" content="EvilGnome, a rare type of malware with zero detections in VirusTotal, is spying on Linux desktop users by allowing the recording of audio conversations. The malware has infrastructure connections to Russian APT Gamaredon Group." />
	<link rel="canonical" href="https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/" />
	<meta property="og:locale" content="en_US" />
	<meta property="og:type" content="article" />
	<meta property="og:description" content="EvilGnome, a rare type of malware with zero detections in VirusTotal, is spying on Linux desktop users by allowing the recording of audio conversations. The malware has infrastructure connections to Russian APT Gamaredon Group." />
	<meta property="og:url" content="https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/" />
	<meta property="og:site_name" content="Intezer" />
	<meta property="article:publisher" content="https://www.facebook.com/IntezerLabs/" />
	<meta property="article:published_time" content="2019-07-17T13:19:04+00:00" />
	<meta property="article:modified_time" content="2021-03-22T13:35:07+00:00" />
	<meta property="og:image" content="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/garden-gnome-523380_1920.jpg" />
	<meta property="og:image:width" content="1920" />
	<meta property="og:image:height" content="1275" />
	<meta name="twitter:card" content="summary_large_image" />
	<meta name="twitter:creator" content="@IntezerLabs" />
	<meta name="twitter:site" content="@IntezerLabs" />
	<meta name="twitter:label1" content="Written by" />
	<meta name="twitter:data1" content="Paul Litvak" />
	<meta name="twitter:label2" content="Est. reading time" />
	<meta name="twitter:data2" content="9 minutes" />
	<script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://www.intezer.com/#organization","name":"Intezer","url":"https://www.intezer.com/","sameAs":["https://www.facebook.com/IntezerLabs/","https://www.linkedin.com/company/intezer-labs/","https://www.youtube.com/channel/UCt5L5ztHh-C1NCKa6bKjXFQ","https://twitter.com/IntezerLabs"],"logo":{"@type":"ImageObject","@id":"https://www.intezer.com/#logo","inLanguage":"en-US","url":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1.png","contentUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1.png","width":512,"height":512,"caption":"Intezer"},"image":{"@id":"https://www.intezer.com/#logo"}},{"@type":"WebSite","@id":"https://www.intezer.com/#website","url":"https://www.intezer.com/","name":"Intezer","description":"","publisher":{"@id":"https://www.intezer.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://www.intezer.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/#primaryimage","inLanguage":"en-US","url":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/garden-gnome-523380_1920.jpg","contentUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/garden-gnome-523380_1920.jpg","width":1920,"height":1275},{"@type":"WebPage","@id":"https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/#webpage","url":"https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/","name":"EvilGnome: Rare Malware Spying on Desktop Users - Intezer","isPartOf":{"@id":"https://www.intezer.com/#website"},"primaryImageOfPage":{"@id":"https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/#primaryimage"},"datePublished":"2019-07-17T13:19:04+00:00","dateModified":"2021-03-22T13:35:07+00:00","description":"EvilGnome, a rare type of malware with zero detections in VirusTotal, is spying on Linux desktop users by allowing the recording of audio conversations. The malware has infrastructure connections to Russian APT Gamaredon Group.","breadcrumb":{"@id":"https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/"]}]},{"@type":"BreadcrumbList","@id":"https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.intezer.com/"},{"@type":"ListItem","position":2,"name":"EvilGnome: Rare Malware Spying on Linux Desktop Users"}]},{"@type":"Article","@id":"https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/#article","isPartOf":{"@id":"https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/#webpage"},"author":{"@id":"https://www.intezer.com/#/schema/person/f55a09c767f1af4e25c872480c8e0b85"},"headline":"EvilGnome: Rare Malware Spying on Linux Desktop Users","datePublished":"2019-07-17T13:19:04+00:00","dateModified":"2021-03-22T13:35:07+00:00","mainEntityOfPage":{"@id":"https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/#webpage"},"wordCount":1714,"commentCount":0,"publisher":{"@id":"https://www.intezer.com/#organization"},"image":{"@id":"https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/#primaryimage"},"thumbnailUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/garden-gnome-523380_1920.jpg","keywords":["APT","backdoor","Desktop","EvilGnome","Gamaredon Group","Linux","malware","Malware Analysis","Research","Russia"],"articleSection":["Linux","Malware Analysis","Research"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/#respond"]}]},{"@type":"Person","@id":"https://www.intezer.com/#/schema/person/f55a09c767f1af4e25c872480c8e0b85","name":"Paul Litvak","image":{"@type":"ImageObject","@id":"https://www.intezer.com/#personlogo","inLanguage":"en-US","url":"https://secure.gravatar.com/avatar/d9e4a73ab4d11572b62adeabc005ded0?s=96&d=mm&r=g","contentUrl":"https://secure.gravatar.com/avatar/d9e4a73ab4d11572b62adeabc005ded0?s=96&d=mm&r=g","caption":"Paul Litvak"},"url":"https://www.intezer.com/author/paullitvak/"}]}</script>
	<!-- / Yoast SEO plugin. -->


<link rel='dns-prefetch' href='//js.hs-scripts.com' />
<link rel='dns-prefetch' href='//www.google.com' />
<link rel='dns-prefetch' href='//s.w.org' />
<link rel='dns-prefetch' href='//c0.wp.com' />
<link rel="alternate" type="application/rss+xml" title="Intezer &raquo; Feed" href="https://www.intezer.com/feed/" />
<link rel="alternate" type="application/rss+xml" title="Intezer &raquo; Comments Feed" href="https://www.intezer.com/comments/feed/" />
		<script type="text/javascript">
			window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.1.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.1.0\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/www.intezer.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=0aeebf0e297002559f8cf4ab5cad896d"}};
			!function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");function s(e,t){var a=String.fromCharCode;p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0);e=i.toDataURL();return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(o=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},r=0;r<o.length;r++)t.supports[o[r]]=function(e){if(!p||!p.fillText)return!1;switch(p.textBaseline="top",p.font="600 32px Arial",e){case"flag":return s([127987,65039,8205,9895,65039],[127987,65039,8203,9895,65039])?!1:!s([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!s([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]);case"emoji":return!s([10084,65039,8205,55357,56613],[10084,65039,8203,55357,56613])}return!1}(o[r]),t.supports.everything=t.supports.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[o[r]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(n=t.source||{}).concatemoji?c(n.concatemoji):n.wpemoji&&n.twemoji&&(c(n.twemoji),c(n.wpemoji)))}(window,document,window._wpemojiSettings);
		</script>
		<style type="text/css">
img.wp-smiley,
img.emoji {
	display: inline !important;
	border: none !important;
	box-shadow: none !important;
	height: 1em !important;
	width: 1em !important;
	margin: 0 .07em !important;
	vertical-align: -0.1em !important;
	background: none !important;
	padding: 0 !important;
}
</style>
	<link rel='stylesheet' id='wp-block-library-css'  href='https://c0.wp.com/c/5.8.2/wp-includes/css/dist/block-library/style.min.css' media='all' />
<style id='wp-block-library-inline-css' type='text/css'>
.has-text-align-justify{text-align:justify;}
</style>
<link rel='stylesheet' id='mediaelement-css'  href='https://c0.wp.com/c/5.8.2/wp-includes/js/mediaelement/mediaelementplayer-legacy.min.css' media='all' />
<link rel='stylesheet' id='wp-mediaelement-css'  href='https://c0.wp.com/c/5.8.2/wp-includes/js/mediaelement/wp-mediaelement.min.css' media='all' />
<link rel='stylesheet' id='contact-form-7-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.5.2' media='all' />
<link rel='stylesheet' id='bootstrap_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/css/bootstrap.css?ver=0aeebf0e297002559f8cf4ab5cad896d' media='all' />
<link rel='stylesheet' id='fontawesome_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/css/font-awesome.min.css?ver=0aeebf0e297002559f8cf4ab5cad896d' media='all' />
<link rel='stylesheet' id='main_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/style.css?ver=1640305957' media='all' />
<link rel='stylesheet' id='wpdreams-asl-basic-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/css/style.basic.css?ver=4.9.5' media='all' />
<link rel='stylesheet' id='wpdreams-ajaxsearchlite-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/css/style-curvy-blue.css?ver=4.9.5' media='all' />
<link rel='stylesheet' id='slb_core-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/client/css/app.css?ver=2.8.1' media='all' />
<link rel='stylesheet' id='addtoany-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/add-to-any/addtoany.min.css?ver=1.15' media='all' />
<link rel='stylesheet' id='cf7cf-style-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/cf7-conditional-fields/style.css?ver=2.0.7' media='all' />
<link rel='stylesheet' id='jetpack_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/css/jetpack.css?ver=10.5-a.3' media='all' />
<script type='text/javascript' id='addtoany-js-after'>
window.a2a_config=window.a2a_config||{};a2a_config.callbacks=[];a2a_config.overlays=[];a2a_config.templates={};
(function(d,s,a,b){a=d.createElement(s);b=d.getElementsByTagName(s)[0];a.async=1;a.src="https://static.addtoany.com/menu/page.js";b.parentNode.insertBefore(a,b);})(document,"script");
</script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/jquery-3.2.1.min.js?ver=0aeebf0e297002559f8cf4ab5cad896d' id='jquery-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/add-to-any/addtoany.min.js?ver=1.1' id='addtoany-jquery-js'></script>
<link rel="https://api.w.org/" href="https://www.intezer.com/wp-json/" /><link rel="alternate" type="application/json" href="https://www.intezer.com/wp-json/wp/v2/posts/5223" /><link rel='shortlink' href='https://www.intezer.com/?p=5223' />
<link rel="alternate" type="application/json+oembed" href="https://www.intezer.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Fevilgnome-rare-malware-spying-on-linux-desktop-users%2F" />
<link rel="alternate" type="text/xml+oembed" href="https://www.intezer.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Fevilgnome-rare-malware-spying-on-linux-desktop-users%2F&#038;format=xml" />
			<!-- DO NOT COPY THIS SNIPPET! Start of Page Analytics Tracking for HubSpot WordPress plugin v8.4.329-->
			<script type="text/javascript">
				var _hsq = _hsq || [];
				_hsq.push(["setContentType", "blog-post"]);
			</script>
			<!-- DO NOT COPY THIS SNIPPET! End of Page Analytics Tracking for HubSpot WordPress plugin -->
						<script>
				(function() {
					var hbspt = window.hbspt = window.hbspt || {};
					hbspt.forms = hbspt.forms || {};
					hbspt._wpFormsQueue = [];
					hbspt.enqueueForm = function(formDef) {
						if (hbspt.forms && hbspt.forms.create) {
							hbspt.forms.create(formDef);
						} else {
							hbspt._wpFormsQueue.push(formDef);
						}
					}
					if (!window.hbspt.forms.create) {
						Object.defineProperty(window.hbspt.forms, 'create', {
							configurable: true,
							get: function() {
								return hbspt._wpCreateForm;
							},
							set: function(value) {
								hbspt._wpCreateForm = value;
								while (hbspt._wpFormsQueue.length) {
									var formDef = hbspt._wpFormsQueue.shift();
									if (!document.currentScript) {
										var formScriptId = 'leadin-forms-v2-js';
										hubspot.utils.currentScript = document.getElementById(formScriptId);
									}
									hbspt._wpCreateForm.call(hbspt.forms, formDef);
								}
							},
						});
					}
				})();
			</script>
		<script type="text/javascript">
(function(url){
	if(/(?:Chrome\/26\.0\.1410\.63 Safari\/537\.31|WordfenceTestMonBot)/.test(navigator.userAgent)){ return; }
	var addEvent = function(evt, handler) {
		if (window.addEventListener) {
			document.addEventListener(evt, handler, false);
		} else if (window.attachEvent) {
			document.attachEvent('on' + evt, handler);
		}
	};
	var removeEvent = function(evt, handler) {
		if (window.removeEventListener) {
			document.removeEventListener(evt, handler, false);
		} else if (window.detachEvent) {
			document.detachEvent('on' + evt, handler);
		}
	};
	var evts = 'contextmenu dblclick drag dragend dragenter dragleave dragover dragstart drop keydown keypress keyup mousedown mousemove mouseout mouseover mouseup mousewheel scroll'.split(' ');
	var logHuman = function() {
		if (window.wfLogHumanRan) { return; }
		window.wfLogHumanRan = true;
		var wfscr = document.createElement('script');
		wfscr.type = 'text/javascript';
		wfscr.async = true;
		wfscr.src = url + '&r=' + Math.random();
		(document.getElementsByTagName('head')[0]||document.getElementsByTagName('body')[0]).appendChild(wfscr);
		for (var i = 0; i < evts.length; i++) {
			removeEvent(evts[i], logHuman);
		}
	};
	for (var i = 0; i < evts.length; i++) {
		addEvent(evts[i], logHuman);
	}
})('//www.intezer.com/?wordfence_lh=1&hid=8673DFC5ABA4956D138A9B00609D5229');
</script><style type='text/css'>img#wpstats{display:none}</style>
						<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
				<link rel="preload" as="style" href="//fonts.googleapis.com/css?family=Open+Sans&display=swap" />
				<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Open+Sans&display=swap" media="all" />
							<style type="text/css">
				/* If html does not have either class, do not show lazy loaded images. */
				html:not( .jetpack-lazy-images-js-enabled ):not( .js ) .jetpack-lazy-image {
					display: none;
				}
			</style>
			<script>
				document.documentElement.classList.add(
					'jetpack-lazy-images-js-enabled'
				);
			</script>
		                <style>
                    
					@font-face {
						font-family: 'aslsicons2';
						src: url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.eot');
						src: url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.eot?#iefix') format('embedded-opentype'),
							 url('https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.woff2') format('woff2'),
							 url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.woff') format('woff'),
							 url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.ttf') format('truetype'),
							 url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.svg#icons') format('svg');
						font-weight: normal;
						font-style: normal;
					}
					div[id*='ajaxsearchlitesettings'].searchsettings .asl_option_inner label {
						font-size: 0px !important;
						color: rgba(0, 0, 0, 0);
					}
					div[id*='ajaxsearchlitesettings'].searchsettings .asl_option_inner label:after {
						font-size: 11px !important;
						position: absolute;
						top: 0;
						left: 0;
						z-index: 1;
					}
					div[id*='ajaxsearchlite'].wpdreams_asl_container {
						width: 100%;
						margin: 0px 0px 14px 0px;
					}
					div[id*='ajaxsearchliteres'].wpdreams_asl_results div.resdrg span.highlighted {
						font-weight: bold;
						color: rgba(48, 138, 255, 1);
						background-color: rgb(255, 255, 255);
					}
					div[id*='ajaxsearchliteres'].wpdreams_asl_results .results div.asl_image {
						width: 84px;
						height: 60px;
						background-size: cover;
						background-repeat: no-repeat;
					}
					div.asl_r .results {
						max-height: none;
					}
				
						.asl_m .probox svg {
							fill: rgba(204, 216, 228, 1) !important;
						}
						.asl_m .probox .innericon {
							background-color: rgba(255, 255, 255, 1) !important;
							background-image: none !important;
							-webkit-background-image: none !important;
							-ms-background-image: none !important;
						}
					
						div.asl_m.asl_w {
							border:1px solid rgba(48, 138, 255, 1) !important;border-radius:7px 7px 7px 7px !important;
							box-shadow: none !important;
						}
						div.asl_m.asl_w .probox {border: none !important;}
					
						div.asl_r.asl_w.vertical .results .item::after {
							display: block;
							position: absolute;
							bottom: 0;
							content: '';
							height: 1px;
							width: 100%;
							background: #D8D8D8;
						}
						div.asl_r.asl_w.vertical .results .item.asl_last_item::after {
							display: none;
						}
					 div.asl_m.asl_w {
    margin: auto;
    max-width: 820px;
}
div.asl_w .probox .promagnifier {
    order: 1;
}
div.asl_r .results .item .asl_content h3, div.asl_r .results .item .asl_content h3 a {
    font-weight: 600;
    color: #233b52;
}

div.asl_r .results .item .asl_content h3 a:hover {
    font-weight: 600;
    color: #233b52;
}

.wpdreams_asl_results .results div.asl_image {
    border-radius: 7px;
}

p.asl_desc {
    color: #849eb5;
}
span.asl_nores_header {
    font-size: 14px;
}                </style>
                			<script type="text/javascript">
                if ( typeof _ASL !== "undefined" && _ASL !== null && typeof _ASL.initialize !== "undefined" ) {
					_ASL.initialize();
				}
            </script>
            <link rel="icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-32x32.png" sizes="32x32" />
<link rel="icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-192x192.png" sizes="192x192" />
<link rel="apple-touch-icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-180x180.png" />
<meta name="msapplication-TileImage" content="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-270x270.png" />
<link rel="stylesheet" type="text/css" id="wp-custom-css" href="https://www.intezer.com/?custom-css=79c8f516d6" />



</head>

<body class="post-template-default single single-post postid-5223 single-format-standard wp-custom-logo evilgnome-rare-malware-spying-on-linux-desktop-users elementor-default elementor-kit-8921">

<!-- Google Tag Manager (noscript) -->
<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KC95766"
height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<!-- End Google Tag Manager (noscript) -->
    <div class="background-pop"></div>
<div id="top-bar-spacer"><div id="top-bar"><span class="desktop-title">Analyze malware and unknown files for free</span><span class="mobile-title">Analyze malware for free</span>&nbsp;<a class="top-bar-link" href="https://analyze.intezer.com/?_gl=1*1pgz7dk*_gcl_aw*R0NMLjE2MzMwMzI1ODkuQ2owS0NRand3TldLQmhEQUFSSXNBSjhIa2hjMUsxYzg5MXJyZzhKVU5sdmVUM2c1b0tBdUE1Q3g5MUhHVXctTDJCb3Y4X0owLTR6OF8zb2FBaFRERUFMd193Y0I.">analyze.intezer.com</a></div></div>    <header id="header">
        <nav class="navbar navbar-toggleable-sm navbar-inverse bg-faded fixed-top" id="main-menu">
                <button class="navbar-toggler navbar-toggler-right" type="button" data-toggle="collapse"
                        data-target="#top-navbar" aria-controls="top-navbar" aria-expanded="false"
                        aria-label="Toggle navigation">
                    <span class="navbar-toggler-icon"></span>
                </button>
                <div class="search-bar show-mobile">
                	<img src="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/images/search-ico.png" alt="">
                </div>
                <div class="show-mobile"><form role="search" method="get" class="search-form" action="https://www.intezer.com/">
				<label>
					<span class="screen-reader-text">Search for:</span>
					<input type="search" class="search-field" placeholder="Search &hellip;" value="" name="s" />
				</label>
				<input type="submit" class="search-submit" value="Search" />
			</form></div>
                <a class="navbar-brand" href="https://www.intezer.com/">
                    <a class="logo-link" href="https://www.intezer.com"><img class="logo-img" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/intezer-logo-n.png" alt="intezer"></a>                </a>
                <div class="collapse navbar-collapse" id="top-navbar">
                    <ul id="menu-top-menu" class="navbar-nav ml-auto"><li id="menu-item-13604" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-13604 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-analyze/">Analyze</a></li>
<li id="menu-item-16601" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-16601 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-protect/">Protect</a></li>
<li id="menu-item-131" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-131 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Learn </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-15962" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor menu-item-15962 nav-item"><a class="nav-link" href="https://www.intezer.com/blog/">Blog</a></li>
	<li id="menu-item-1368" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1368 nav-item"><a class="nav-link" href="https://www.intezer.com/resources/">Resources</a></li>
	<li id="menu-item-15894" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-15894 nav-item"><a class="nav-link" target="_blank" href="https://support.intezer.com/hc/en-us">Docs</a></li>
</ul>
</li>
<li id="menu-item-20994" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20994 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Company </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-3061" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-3061 nav-item"><a class="nav-link" href="https://www.intezer.com/partners/">Partners</a></li>
	<li id="menu-item-114" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-114 nav-item"><a class="nav-link" href="https://www.intezer.com/contact-us/">Contact Us</a></li>
	<li id="menu-item-70" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-70 nav-item"><a class="nav-link" href="https://www.intezer.com/about/">About</a></li>
	<li id="menu-item-7096" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7096 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-news/">News</a></li>
	<li id="menu-item-8417" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-8417 nav-item"><a class="nav-link" href="https://www.intezer.com/careers/">Careers</a></li>
</ul>
</li>
<li id="menu-item-22200" class="desktop-login menu-item menu-item-type-custom menu-item-object-custom menu-item-22200 nav-item"><a class="nav-link" href="https://analyze.intezer.com/sign-in/?utm_campaign=login-btn&#038;utm_source=intezer">Log in</a></li>
<li id="menu-item-1028" class="try-now desktop-cta menu-item menu-item-type-custom menu-item-object-custom menu-item-1028 nav-item"><a class="nav-link" href="https://analyze.intezer.com/"><span class="glyphicon Try it Now"></span>&nbsp;Sign up</a></li>
<li id="menu-item-5106" class="try-now mobile-cta menu-item menu-item-type-custom menu-item-object-custom menu-item-5106 nav-item"><a class="nav-link" href="https://analyze.intezer.com/"><span class="glyphicon Try our free Community Edition"></span>&nbsp;Sign up</a></li>
</ul>                    <div class="search-bar show-desktop">
                    	<img src="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/images/search-ico.png" alt="">
                    </div>
                    <div class="show-desktop"><form role="search" method="get" class="search-form" action="https://www.intezer.com/">
				<label>
					<span class="screen-reader-text">Search for:</span>
					<input type="search" class="search-field" placeholder="Search &hellip;" value="" name="s" />
				</label>
				<input type="submit" class="search-submit" value="Search" />
			</form></div>
                </div>

        </nav>
 		<section data-elementor-type="section" data-elementor-id="16929" class="elementor elementor-16929" data-elementor-settings="[]">
		<div class="elementor-section-wrap">
					<section class="elementor-section elementor-top-section elementor-element elementor-element-d8295c2 elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="d8295c2" data-element_type="section" id="analyze-pop" data-settings="{&quot;background_background&quot;:&quot;classic&quot;}">
						<div class="elementor-container elementor-column-gap-wide">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-1195e9a" data-id="1195e9a" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<section class="elementor-section elementor-inner-section elementor-element elementor-element-a9b9c3b elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="a9b9c3b" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-ebed2f0" data-id="ebed2f0" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-dd715e2 elementor-widget elementor-widget-image" data-id="dd715e2" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://www.intezer.com/intezer-analyze/">
							<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/thumbs/logo-analize-logo-trans-ozsmvqchu4xq3efimwjdhr1x8rgjihbqxejnle9j9u.png" title="logo-analize-logo-trans" alt="Intezer Analyze" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-43be782 elementor-widget elementor-widget-heading" data-id="43be782" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<div class="elementor-heading-title elementor-size-default"><b>Malware Analysis Platform</b><br>Connect to the world’s largest genetic threat catalog. Analyze, detect and stay current on the latest threats under one platform.</div>		</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-c353d36" data-id="c353d36" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-7706e29 museo500 elementor-widget elementor-widget-heading" data-id="7706e29" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<h2 class="elementor-heading-title elementor-size-default">Used by</h2>		</div>
				</div>
				<div class="elementor-element elementor-element-42b2532 pop-list star-list elementor-widget elementor-widget-text-editor" data-id="42b2532" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<ul><li>IR/SOC Teams</li><li>Threat Intel Teams</li><li><a href="https://www.intezer.com/resource/intezer-analyze-for-government-and-national/">Government</a></li><li><a href="https://www.intezer.com/resource/intezer-analyze-for-managed-security-service-provider-mssp/">MSSPs</a></li></ul>					</div>
						</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
				<section class="elementor-section elementor-inner-section elementor-element elementor-element-4ec0966 elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="4ec0966" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-100 elementor-inner-column elementor-element elementor-element-aaa60e7" data-id="aaa60e7" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-a9e57aa museo500 elementor-widget elementor-widget-heading" data-id="a9e57aa" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<h2 class="elementor-heading-title elementor-size-default">Used for</h2>		</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
				<section class="elementor-section elementor-inner-section elementor-element elementor-element-d7fcc8b elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="d7fcc8b" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-33 elementor-inner-column elementor-element elementor-element-24b0c8b" data-id="24b0c8b" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-8a272db elementor-widget elementor-widget-heading" data-id="8a272db" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<div class="elementor-heading-title elementor-size-default">Incident Response</div>		</div>
				</div>
				<div class="elementor-element elementor-element-28a8d9a pop-list elementor-widget elementor-widget-text-editor" data-id="28a8d9a" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<ul><li><div class="">File scanning</div></li><li><div class="">URL scanning</div></li><li><div class="">Sandboxing</div></li><li><div class="">Malware classification &amp; attribution</div></li><li><div class="">Machine and memory dump scanning</div></li></ul>					</div>
						</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-33 elementor-inner-column elementor-element elementor-element-2989eef" data-id="2989eef" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-92d19ca elementor-widget elementor-widget-heading" data-id="92d19ca" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<div class="elementor-heading-title elementor-size-default">Threat Intelligence</div>		</div>
				</div>
				<div class="elementor-element elementor-element-248a633 pop-list elementor-widget elementor-widget-text-editor" data-id="248a633" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<ul><li><div class="">Track threat families</div></li><li><div class="">Extract IoCs and TTPs</div></li><li><div class="">Hunting with YARA</div></li></ul>					</div>
						</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-33 elementor-inner-column elementor-element elementor-element-9765d59" data-id="9765d59" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-197f34b elementor-widget elementor-widget-heading" data-id="197f34b" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<div class="elementor-heading-title elementor-size-default">Supply Chain Security</div>		</div>
				</div>
				<div class="elementor-element elementor-element-b80b5c6 pop-list elementor-widget elementor-widget-text-editor" data-id="b80b5c6" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<ul>
 	<li>
<div class="">Scan third-party software</div></li>
 	<li>
<div class="">Scan software before release</div></li>
 	<li>
<div class="">File upload security</div></li>
</ul>					</div>
						</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
				<section class="elementor-section elementor-inner-section elementor-element elementor-element-59d8717 elementor-section-content-bottom elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="59d8717" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-d1caad7" data-id="d1caad7" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-8616ac1 elementor-align-left elementor-mobile-align-center elementor-widget elementor-widget-button" data-id="8616ac1" data-element_type="widget" id="pop-link" data-widget_type="button.default">
				<div class="elementor-widget-container">
					<div class="elementor-button-wrapper">
			<a href="https://www.intezer.com/intezer-analyze/" class="elementor-button-link elementor-button elementor-size-sm" role="button">
						<span class="elementor-button-content-wrapper">
						<span class="elementor-button-text">Learn More</span>
		</span>
					</a>
		</div>
				</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-565e380" data-id="565e380" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-d956561 elementor-align-left elementor-mobile-align-center main-menu-button elementor-widget elementor-widget-button" data-id="d956561" data-element_type="widget" data-widget_type="button.default">
				<div class="elementor-widget-container">
					<div class="elementor-button-wrapper">
			<a href="https://analyze.intezer.com/create-account" target="_blank" class="elementor-button-link elementor-button elementor-size-xs" role="button" id="get-started-analyze">
						<span class="elementor-button-content-wrapper">
						<span class="elementor-button-text">Get Started</span>
		</span>
					</a>
		</div>
				</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
				</div>
		</section>
				<div data-elementor-type="page" data-elementor-id="17075" class="elementor elementor-17075" data-elementor-settings="[]">
						<div class="elementor-inner">
							<div class="elementor-section-wrap">
							<section class="elementor-section elementor-top-section elementor-element elementor-element-d8295c2 elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="d8295c2" data-element_type="section" id="protect-pop" data-settings="{&quot;background_background&quot;:&quot;classic&quot;}">
						<div class="elementor-container elementor-column-gap-wide">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-1195e9a" data-id="1195e9a" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<section class="elementor-section elementor-inner-section elementor-element elementor-element-a9b9c3b elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="a9b9c3b" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-ebed2f0" data-id="ebed2f0" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-dd715e2 elementor-widget elementor-widget-image" data-id="dd715e2" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://www.intezer.com/intezer-protect/">
							<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/thumbs/protect-logo-ozsn131er69i7gnmdptw6wff0r2scfkpzwa6z4btua.png" title="protect-logo" alt="Intezer Protect Logo" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-43be782 elementor-widget elementor-widget-heading" data-id="43be782" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<div class="elementor-heading-title elementor-size-default"><b>Threat Detection for Cloud and Data Centers</b><br>Protect your Linux and Kubernetes data centers against the latest threats.</div>		</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-c353d36" data-id="c353d36" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-7706e29 museo500 elementor-widget elementor-widget-heading" data-id="7706e29" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<h2 class="elementor-heading-title elementor-size-default">Capabilities</h2>		</div>
				</div>
				<div class="elementor-element elementor-element-42b2532 pop-list star-list elementor-widget elementor-widget-text-editor" data-id="42b2532" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<ul><li>Real-time Threat Detection</li><li>Runtime Code Visibility &amp; Control</li><li>Vulnerability Management</li><li>Cloud Compliance</li></ul>					</div>
						</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
				<section class="elementor-section elementor-inner-section elementor-element elementor-element-4ec0966 elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="4ec0966" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-100 elementor-inner-column elementor-element elementor-element-aaa60e7" data-id="aaa60e7" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-a9e57aa museo500 elementor-widget elementor-widget-heading" data-id="a9e57aa" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<h2 class="elementor-heading-title elementor-size-default">Security for</h2>		</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
				<section class="elementor-section elementor-inner-section elementor-element elementor-element-d7fcc8b elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="d7fcc8b" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-24b0c8b" data-id="24b0c8b" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-2dfe54d elementor-widget elementor-widget-image" data-id="2dfe54d" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
									<figure class="wp-caption">
											<a href="https://www.intezer.com/intezer-protect/linux-server-security/">
							<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/linux-pop.png" class="attachment-full size-full jetpack-lazy-image" alt="Linux Icon" loading="lazy" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/linux-pop.png?is-pending-load=1" srcset="" />								</a>
											<figcaption class="widget-image-caption wp-caption-text">Linux Servers</figcaption>
										</figure>
								</div>
						</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-e591d3f" data-id="e591d3f" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-60f984a elementor-widget elementor-widget-image" data-id="60f984a" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
									<figure class="wp-caption">
											<a href="https://www.intezer.com/intezer-protect/kubernetes-security/">
							<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/kubernetes-pop.png" class="attachment-full size-full jetpack-lazy-image" alt="Kubernetes Icon" loading="lazy" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/kubernetes-pop.png?is-pending-load=1" srcset="" />								</a>
											<figcaption class="widget-image-caption wp-caption-text">Kubernetes</figcaption>
										</figure>
								</div>
						</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-5890682" data-id="5890682" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-0aceee8 elementor-widget elementor-widget-image" data-id="0aceee8" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
									<figure class="wp-caption">
											<a href="https://www.intezer.com/intezer-protect/container-security/">
							<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/containers-pop.jpg" class="attachment-full size-full jetpack-lazy-image" alt="Containers Icon" loading="lazy" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/containers-pop.jpg?is-pending-load=1" srcset="" />								</a>
											<figcaption class="widget-image-caption wp-caption-text">Containers</figcaption>
										</figure>
								</div>
						</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-c36e16f" data-id="c36e16f" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-cc285f7 elementor-widget elementor-widget-image" data-id="cc285f7" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
									<figure class="wp-caption">
										<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/aws-pop.png" class="attachment-full size-full jetpack-lazy-image" alt="AWS Icon" loading="lazy" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/aws-pop.png?is-pending-load=1" srcset="" />											<figcaption class="widget-image-caption wp-caption-text">AWS</figcaption>
										</figure>
								</div>
						</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-6a2cb7f" data-id="6a2cb7f" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-1cf61dd elementor-widget elementor-widget-image" data-id="1cf61dd" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
									<figure class="wp-caption">
										<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/google-pop.png" class="attachment-full size-full jetpack-lazy-image" alt="Google Icon" loading="lazy" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/google-pop.png?is-pending-load=1" srcset="" />											<figcaption class="widget-image-caption wp-caption-text">Google Cloud</figcaption>
										</figure>
								</div>
						</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-3fb89fd" data-id="3fb89fd" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-5f22335 elementor-widget elementor-widget-image" data-id="5f22335" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
									<figure class="wp-caption">
										<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/azure-pop.png" class="attachment-full size-full jetpack-lazy-image" alt="Azure Icon" loading="lazy" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/azure-pop.png?is-pending-load=1" srcset="" />											<figcaption class="widget-image-caption wp-caption-text">Azure</figcaption>
										</figure>
								</div>
						</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
				<section class="elementor-section elementor-inner-section elementor-element elementor-element-59d8717 elementor-section-content-bottom elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="59d8717" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-d1caad7" data-id="d1caad7" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-8616ac1 elementor-align-left elementor-mobile-align-center elementor-widget elementor-widget-button" data-id="8616ac1" data-element_type="widget" id="pop-link" data-widget_type="button.default">
				<div class="elementor-widget-container">
					<div class="elementor-button-wrapper">
			<a href="https://www.intezer.com/intezer-protect/" class="elementor-button-link elementor-button elementor-size-sm" role="button">
						<span class="elementor-button-content-wrapper">
						<span class="elementor-button-text">Learn More</span>
		</span>
					</a>
		</div>
				</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-565e380" data-id="565e380" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-d956561 elementor-align-left elementor-mobile-align-center main-menu-button elementor-widget elementor-widget-button" data-id="d956561" data-element_type="widget" data-widget_type="button.default">
				<div class="elementor-widget-container">
					<div class="elementor-button-wrapper">
			<a href="https://protect.intezer.com/signup" target="_blank" class="elementor-button-link elementor-button elementor-size-xs" role="button" id="get-started-protect ">
						<span class="elementor-button-content-wrapper">
						<span class="elementor-button-text">Get Started</span>
		</span>
					</a>
		</div>
				</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
						</div>
						</div>
					</div>
		    </header><div class="popup"><div role="form" class="wpcf7" id="wpcf7-f468-o1" lang="en-US" dir="ltr">
<div class="screen-reader-response"><p role="status" aria-live="polite" aria-atomic="true"></p> <ul></ul></div>
<form action="/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/#wpcf7-f468-o1" method="post" class="wpcf7-form init clearfix" novalidate="novalidate" data-status="init" id="request-demo-form">
<div style="display: none;">
<input type="hidden" name="_wpcf7" value="468" />
<input type="hidden" name="_wpcf7_version" value="5.5.2" />
<input type="hidden" name="_wpcf7_locale" value="en_US" />
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f468-o1" />
<input type="hidden" name="_wpcf7_container_post" value="0" />
<input type="hidden" name="_wpcf7_posted_data_hash" value="" />
<input type="hidden" name="_wpcf7cf_hidden_group_fields" value="" />
<input type="hidden" name="_wpcf7cf_hidden_groups" value="" />
<input type="hidden" name="_wpcf7cf_visible_groups" value="" />
<input type="hidden" name="_wpcf7cf_repeaters" value="[]" />
<input type="hidden" name="_wpcf7cf_steps" value="{}" />
<input type="hidden" name="_wpcf7cf_options" value="{&quot;form_id&quot;:468,&quot;conditions&quot;:[{&quot;then_field&quot;:&quot;group-570&quot;,&quot;and_rules&quot;:[{&quot;if_field&quot;:&quot;mx_Country&quot;,&quot;operator&quot;:&quot;equals&quot;,&quot;if_value&quot;:&quot;United States&quot;}]}],&quot;settings&quot;:{&quot;animation&quot;:&quot;yes&quot;,&quot;animation_intime&quot;:200,&quot;animation_outtime&quot;:200,&quot;conditions_ui&quot;:&quot;normal&quot;,&quot;notice_dismissed&quot;:false}}" />
<input type="hidden" name="_wpcf7_recaptcha_response" value="" />
</div>
<div class="form-header"></div>
<div class="cf-field cf-field-left cf-fname">
<span class="cf-label">First Name</span><br />
<span class="wpcf7-form-control-wrap FirstName"><input type="text" name="FirstName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required fname w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-lname">
<span class="cf-label">Last Name</span><br />
<span class="wpcf7-form-control-wrap LastName"><input type="text" name="LastName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-field-left cf-title">
<span class="cf-label">Job Title</span><br />
<span class="wpcf7-form-control-wrap JobTitle"><input type="text" name="JobTitle" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-company">
<span class="cf-label">Company</span><br />
<span class="wpcf7-form-control-wrap Company"><input type="text" name="Company" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required company" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-field-left">
<span class="cf-label">Email</span><br />
<span class="wpcf7-form-control-wrap EmailAddress"><input type="email" name="EmailAddress" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-email wpcf7-validates-as-required wpcf7-validates-as-email email" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field">
<span class="cf-label">Country</span><br />
<span class="wpcf7-form-control-wrap mx_Country"><select name="mx_Country" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value=""></option><option value="United States">United States</option><option value="Canada">Canada</option><option value="Afghanistan">Afghanistan</option><option value="Albania">Albania</option><option value="Algeria">Algeria</option><option value="Andorra">Andorra</option><option value="Angola">Angola</option><option value="Antigua and Barbuda">Antigua and Barbuda</option><option value="Argentina">Argentina</option><option value="Armenia">Armenia</option><option value="Aruba">Aruba</option><option value="Australia">Australia</option><option value="Austria">Austria</option><option value="Azerbaijan">Azerbaijan</option><option value="Bahamas">Bahamas</option><option value="Bahrain">Bahrain</option><option value="Bangladesh">Bangladesh</option><option value="Barbados">Barbados</option><option value="Belarus">Belarus</option><option value="Belgium">Belgium</option><option value="Belize">Belize</option><option value="Benin">Benin</option><option value="Bermuda">Bermuda</option><option value="Bhutan">Bhutan</option><option value="Bolivia">Bolivia</option><option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option><option value="Botswana">Botswana</option><option value="Brazil">Brazil</option><option value="Brunei">Brunei</option><option value="Bulgaria">Bulgaria</option><option value="Burkina Faso">Burkina Faso</option><option value="Burundi">Burundi</option><option value="Cambodia">Cambodia</option><option value="Cameroon">Cameroon</option><option value="Cape Verde">Cape Verde</option><option value="Cayman Islands">Cayman Islands</option><option value="Central African Republic">Central African Republic</option><option value="Chad">Chad</option><option value="Chile">Chile</option><option value="China">China</option><option value="Colombia">Colombia</option><option value="Comoros">Comoros</option><option value="Democratic Republic of the Congo (Kinshasa)">Democratic Republic of the Congo (Kinshasa)</option><option value="Congo, Republic of(Brazzaville)">Congo, Republic of(Brazzaville)</option><option value="Costa Rica">Costa Rica</option><option value="Croatia">Croatia</option><option value="Cuba">Cuba</option><option value="Cyprus">Cyprus</option><option value="Czechia">Czechia</option><option value="Denmark">Denmark</option><option value="Djibouti">Djibouti</option><option value="Dominica">Dominica</option><option value="Dominican Republic">Dominican Republic</option><option value="East Timor (Timor-Leste)">East Timor (Timor-Leste)</option><option value="Ecuador">Ecuador</option><option value="Egypt">Egypt</option><option value="El Salvador">El Salvador</option><option value="Equatorial Guinea">Equatorial Guinea</option><option value="Eritrea">Eritrea</option><option value="Estonia">Estonia</option><option value="Ethiopia">Ethiopia</option><option value="Fiji">Fiji</option><option value="Finland">Finland</option><option value="France">France</option><option value="Gabon">Gabon</option><option value="Gambia">Gambia</option><option value="Georgia">Georgia</option><option value="Germany">Germany</option><option value="Ghana">Ghana</option><option value="Gibraltar">Gibraltar</option><option value="Greece">Greece</option><option value="Grenada">Grenada</option><option value="Guatemala">Guatemala</option><option value="Guinea">Guinea</option><option value="Guinea-Bissau">Guinea-Bissau</option><option value="Guyana">Guyana</option><option value="Haiti">Haiti</option><option value="Honduras">Honduras</option><option value="Hong Kong">Hong Kong</option><option value="Hungary">Hungary</option><option value="Iceland">Iceland</option><option value="India">India</option><option value="Indonesia">Indonesia</option><option value="Iran, Islamic Republic of">Iran, Islamic Republic of</option><option value="Iraq">Iraq</option><option value="Ireland">Ireland</option><option value="Israel">Israel</option><option value="Italy">Italy</option><option value="Ivory Coast">Ivory Coast</option><option value="Jamaica">Jamaica</option><option value="Japan">Japan</option><option value="Jordan">Jordan</option><option value="Kazakhstan">Kazakhstan</option><option value="Kenya">Kenya</option><option value="Kiribati">Kiribati</option><option value="Korea, Democratic People&#039;s Republic of(North Korea)">Korea, Democratic People&#039;s Republic of(North Korea)</option><option value="Korea, Republic of">Korea, Republic of</option><option value="Kosovo">Kosovo</option><option value="Kuwait">Kuwait</option><option value="Kyrgyzstan">Kyrgyzstan</option><option value="Lao People&#039;s Democratic Republic">Lao People&#039;s Democratic Republic</option><option value="Latvia">Latvia</option><option value="Lebanon">Lebanon</option><option value="Lesotho">Lesotho</option><option value="Liberia">Liberia</option><option value="Libya">Libya</option><option value="Liechtenstein">Liechtenstein</option><option value="Lithuania">Lithuania</option><option value="Luxembourg">Luxembourg</option><option value="Macau">Macau</option><option value="Macedonia, Rep. of">Macedonia, Rep. of</option><option value="Madagascar">Madagascar</option><option value="Malawi">Malawi</option><option value="Malaysia">Malaysia</option><option value="Maldives">Maldives</option><option value="Mali">Mali</option><option value="Malta">Malta</option><option value="Marshall Islands">Marshall Islands</option><option value="Mauritania">Mauritania</option><option value="Mauritius">Mauritius</option><option value="Mexico">Mexico</option><option value="Micronesia, Federal States of">Micronesia, Federal States of</option><option value="Moldova">Moldova</option><option value="Monaco">Monaco</option><option value="Mongolia">Mongolia</option><option value="Montenegro">Montenegro</option><option value="Morocco">Morocco</option><option value="Mozambique">Mozambique</option><option value="Myanmar, Burma">Myanmar, Burma</option><option value="Namibia">Namibia</option><option value="Nauru">Nauru</option><option value="Nepal">Nepal</option><option value="Netherlands">Netherlands</option><option value="New Caledonia">New Caledonia</option><option value="New Zealand">New Zealand</option><option value="Nicaragua">Nicaragua</option><option value="Niger">Niger</option><option value="Nigeria">Nigeria</option><option value="Norway">Norway</option><option value="Oman">Oman</option><option value="Pakistan">Pakistan</option><option value="Palau">Palau</option><option value="Palestinian territories">Palestinian territories</option><option value="Panama">Panama</option><option value="Papua New Guinea">Papua New Guinea</option><option value="Paraguay">Paraguay</option><option value="Peru">Peru</option><option value="Philippines">Philippines</option><option value="Poland">Poland</option><option value="Portugal">Portugal</option><option value="Puerto Rico">Puerto Rico</option><option value="Qatar">Qatar</option><option value="Romania">Romania</option><option value="Russian Federation">Russian Federation</option><option value="Rwanda">Rwanda</option><option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option><option value="Saint Lucia">Saint Lucia</option><option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option><option value="Samoa">Samoa</option><option value="San Marino">San Marino</option><option value="Sao Tome and Principe">Sao Tome and Principe</option><option value="Saudi Arabia">Saudi Arabia</option><option value="Senegal">Senegal</option><option value="Serbia">Serbia</option><option value="Seychelles">Seychelles</option><option value="Sierra Leone">Sierra Leone</option><option value="Singapore">Singapore</option><option value="Slovakia">Slovakia</option><option value="Slovenia">Slovenia</option><option value="Solomon Islands">Solomon Islands</option><option value="Somalia">Somalia</option><option value="South Africa">South Africa</option><option value="South Sudan">South Sudan</option><option value="Spain">Spain</option><option value="Sri Lanka">Sri Lanka</option><option value="Sudan">Sudan</option><option value="Suriname">Suriname</option><option value="Swaziland">Swaziland</option><option value="Sweden">Sweden</option><option value="Switzerland">Switzerland</option><option value="Syria, Syrian Arab Republic">Syria, Syrian Arab Republic</option><option value="Taiwan">Taiwan</option><option value="Tajikistan">Tajikistan</option><option value="Tanzania">Tanzania</option><option value="Thailand">Thailand</option><option value="Tibet">Tibet</option><option value="Togo">Togo</option><option value="Tonga">Tonga</option><option value="Trinidad and Tobago">Trinidad and Tobago</option><option value="Tunisia">Tunisia</option><option value="Turkey">Turkey</option><option value="Turkmenistan">Turkmenistan</option><option value="Tuvalu">Tuvalu</option><option value="Uganda">Uganda</option><option value="Ukraine">Ukraine</option><option value="United Arab Emirates">United Arab Emirates</option><option value="United Kingdom">United Kingdom</option><option value="Uruguay">Uruguay</option><option value="Uzbekistan">Uzbekistan</option><option value="Vanuatu">Vanuatu</option><option value="Vatican City State (Holy See)">Vatican City State (Holy See)</option><option value="Venezuela">Venezuela</option><option value="Vietnam">Vietnam</option><option value="Yemen">Yemen</option><option value="Zambia">Zambia</option><option value="Zimbabwe">Zimbabwe</option></select></span></p>
<div data-id="group-570" data-orig_data_id="group-570" data-clear_on_hide data-class="wpcf7cf_group">
 <span class="wpcf7-form-control-wrap mx_State"><select name="mx_State" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Select State</option><option value="Alabama">Alabama</option><option value="Alaska">Alaska</option><option value="American Samoa">American Samoa</option><option value="Arizona">Arizona</option><option value="Arkansas">Arkansas</option><option value="California">California</option><option value="Colorado">Colorado</option><option value="Connecticut">Connecticut</option><option value="Delaware">Delaware</option><option value="District of Columbia">District of Columbia</option><option value="Florida">Florida</option><option value="Georgia">Georgia</option><option value="Guam">Guam</option><option value="Hawaii">Hawaii</option><option value="Idaho">Idaho</option><option value="Illinois">Illinois</option><option value="Indiana">Indiana</option><option value="Iowa">Iowa</option><option value="Kansas">Kansas</option><option value="Kentucky">Kentucky</option><option value="Louisiana">Louisiana</option><option value="Maine">Maine</option><option value="Maryland">Maryland</option><option value="Massachusetts">Massachusetts</option><option value="Michigan">Michigan</option><option value="Minnesota">Minnesota</option><option value="Mississippi">Mississippi</option><option value="Missouri">Missouri</option><option value="Montana">Montana</option><option value="Nebraska">Nebraska</option><option value="Nevada">Nevada</option><option value="New Hampshire">New Hampshire</option><option value="New Jersey">New Jersey</option><option value="New Mexico">New Mexico</option><option value="New York">New York</option><option value="North Carolina">North Carolina</option><option value="North Dakota">North Dakota</option><option value="Northern Mariana Islands">Northern Mariana Islands</option><option value="Ohio">Ohio</option><option value="Oklahoma">Oklahoma</option><option value="Oregon">Oregon</option><option value="Pennsylvania">Pennsylvania</option><option value="Puerto Rico">Puerto Rico</option><option value="Rhode Island">Rhode Island</option><option value="South Carolina">South Carolina</option><option value="South Dakota">South Dakota</option><option value="Tennessee">Tennessee</option><option value="Texas">Texas</option><option value="United States Minor Outlying Islands">United States Minor Outlying Islands</option><option value="Utah">Utah</option><option value="Vermont">Vermont</option><option value="Virgin Islands">Virgin Islands</option><option value="Virginia">Virginia</option><option value="Washington">Washington</option><option value="West Virginia">West Virginia</option><option value="Wisconsin">Wisconsin</option><option value="Wyoming">Wyoming</option></select></span>
</div>
</div>
<div class="cf-field cf-field-left">
<span class="cf-label">Phone</span><br />
<span class="wpcf7-form-control-wrap mx_phone"><input type="tel" name="mx_phone" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-tel wpcf7-validates-as-required wpcf7-validates-as-tel w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<input type="hidden" name="form-title" value="" class="wpcf7-form-control wpcf7-hidden form-title" />
<div class="cf-field">
<input type="submit" value="Submit" class="wpcf7-form-control has-spinner wpcf7-submit btn btn-primary" />
</div>
<p><script>
document.addEventListener( 'wpcf7mailsent', function( event ) {
 window.dataLayer.push({
 "event" : "request-submission",
 "formId" : event.detail.contactFormId,
 "response" : event.detail.inputs
 })
}); 
</script></p>
<p style="display: none !important;"><label>&#916;<textarea name="_wpcf7_ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js" name="_wpcf7_ak_js" value="74"/><script>document.getElementById( "ak_js" ).setAttribute( "value", ( new Date() ).getTime() );</script></p><div class="wpcf7-response-output" aria-hidden="true"></div></form></div></div>

<!-- Schema -->

<script type="application/ld+json">
{
  "@context": "https://schema.org",
  "@type": "Article",
  "mainEntityOfPage": {
    "@type": "WebPage",
    "@id": "https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/"
  },
  "headline": "EvilGnome: Rare Malware Spying on Linux Desktop Users",
  "image": "https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/garden-gnome-523380_1920-1270x475.jpg",  
  "author": {
    "@type": "Organization",
    "name": "Intezer"
  },  
  "publisher": {
    "@type": "Organization",
    "name": "Intezer",
    "logo": {
      "@type": "ImageObject",
      "url": "https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/02/Round-Logo-60x60.jpg",
      "width": 50,
      "height": 50
    }
  },
  "datePublished": "2019-07-17"
}
</script>

<!-- End schema -->



	<div id="primary" class="content-area">
	    <div class="container">
		    <div class="single-post-page">
				<h1 class="entry-title t-dianne">EvilGnome: Rare Malware Spying on Linux Desktop Users</h1><div class="row top-meta"><div class="col-md-12"><div class="author-box clearfix"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/01/Paul-60x60.png" class="user-photo"><div class="user-bio"><span class="author-light">Written by </span><span class="author-name"> Paul Litvak</span><span class="author-date"> - 17 July 2019</span></div></div></div><div class="main-blog-image"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/garden-gnome-523380_1920-1270x475.jpg" class="featured-img"></div></div><div class="row blog-cont"><div class="col-md-2 blog-side"><div class="blog-side-subscribe"><div role="form" class="wpcf7" id="wpcf7-f15120-o2" lang="en-US" dir="ltr">
<div class="screen-reader-response"><p role="status" aria-live="polite" aria-atomic="true"></p> <ul></ul></div>
<form action="/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/#wpcf7-f15120-o2" method="post" class="wpcf7-form init" novalidate="novalidate" data-status="init">
<div style="display: none;">
<input type="hidden" name="_wpcf7" value="15120" />
<input type="hidden" name="_wpcf7_version" value="5.5.2" />
<input type="hidden" name="_wpcf7_locale" value="en_US" />
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f15120-o2" />
<input type="hidden" name="_wpcf7_container_post" value="0" />
<input type="hidden" name="_wpcf7_posted_data_hash" value="" />
<input type="hidden" name="_wpcf7cf_hidden_group_fields" value="" />
<input type="hidden" name="_wpcf7cf_hidden_groups" value="" />
<input type="hidden" name="_wpcf7cf_visible_groups" value="" />
<input type="hidden" name="_wpcf7cf_repeaters" value="[]" />
<input type="hidden" name="_wpcf7cf_steps" value="{}" />
<input type="hidden" name="_wpcf7cf_options" value="{&quot;form_id&quot;:15120,&quot;conditions&quot;:[{&quot;then_field&quot;:&quot;group-570&quot;,&quot;and_rules&quot;:[{&quot;if_field&quot;:&quot;mx_Country&quot;,&quot;operator&quot;:&quot;equals&quot;,&quot;if_value&quot;:&quot;United States&quot;}]}],&quot;settings&quot;:{&quot;animation&quot;:&quot;yes&quot;,&quot;animation_intime&quot;:200,&quot;animation_outtime&quot;:200,&quot;conditions_ui&quot;:&quot;normal&quot;,&quot;notice_dismissed&quot;:false}}" />
<input type="hidden" name="_wpcf7_recaptcha_response" value="" />
</div>
<div class="form-header"></div>
<div class="cf-field cf-field-left cf-fname">
<span class="cf-label">First Name</span><br />
<span class="wpcf7-form-control-wrap FirstName"><input type="text" name="FirstName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required fname w-98" aria-required="true" aria-invalid="false" placeholder="First Name" /></span>
</div>
<div class="cf-field cf-lname">
<span class="cf-label">Last Name</span><br />
<span class="wpcf7-form-control-wrap LastName"><input type="text" name="LastName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" placeholder="Last Name" /></span>
</div>
<div class="cf-field cf-field-left cf-title">
<span class="cf-label">Job Title</span><br />
<span class="wpcf7-form-control-wrap JobTitle"><input type="text" name="JobTitle" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" placeholder="Job Title" /></span>
</div>
<div class="cf-field cf-company">
<span class="cf-label">Company</span><br />
<span class="wpcf7-form-control-wrap Company"><input type="text" name="Company" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required company" aria-required="true" aria-invalid="false" placeholder="Company" /></span>
</div>
<div class="cf-field cf-field-left">
<span class="cf-label">Email</span><br />
<span class="wpcf7-form-control-wrap EmailAddress"><input type="email" name="EmailAddress" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-email wpcf7-validates-as-required wpcf7-validates-as-email email" aria-required="true" aria-invalid="false" placeholder="Email" /></span>
</div>
<div class="cf-field">
<span class="cf-label">Country</span><br />
<span class="wpcf7-form-control-wrap mx_Country"><select name="mx_Country" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Country</option><option value="United States">United States</option><option value="Canada">Canada</option><option value="Afghanistan">Afghanistan</option><option value="Albania">Albania</option><option value="Algeria">Algeria</option><option value="Andorra">Andorra</option><option value="Angola">Angola</option><option value="Antigua and Barbuda">Antigua and Barbuda</option><option value="Argentina">Argentina</option><option value="Armenia">Armenia</option><option value="Aruba">Aruba</option><option value="Australia">Australia</option><option value="Austria">Austria</option><option value="Azerbaijan">Azerbaijan</option><option value="Bahamas">Bahamas</option><option value="Bahrain">Bahrain</option><option value="Bangladesh">Bangladesh</option><option value="Barbados">Barbados</option><option value="Belarus">Belarus</option><option value="Belgium">Belgium</option><option value="Belize">Belize</option><option value="Benin">Benin</option><option value="Bermuda">Bermuda</option><option value="Bhutan">Bhutan</option><option value="Bolivia">Bolivia</option><option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option><option value="Botswana">Botswana</option><option value="Brazil">Brazil</option><option value="Brunei">Brunei</option><option value="Bulgaria">Bulgaria</option><option value="Burkina Faso">Burkina Faso</option><option value="Burundi">Burundi</option><option value="Cambodia">Cambodia</option><option value="Cameroon">Cameroon</option><option value="Cape Verde">Cape Verde</option><option value="Cayman Islands">Cayman Islands</option><option value="Central African Republic">Central African Republic</option><option value="Chad">Chad</option><option value="Chile">Chile</option><option value="China">China</option><option value="Colombia">Colombia</option><option value="Comoros">Comoros</option><option value="Democratic Republic of the Congo (Kinshasa)">Democratic Republic of the Congo (Kinshasa)</option><option value="Congo, Republic of(Brazzaville)">Congo, Republic of(Brazzaville)</option><option value="Costa Rica">Costa Rica</option><option value="Croatia">Croatia</option><option value="Cuba">Cuba</option><option value="Cyprus">Cyprus</option><option value="Czechia">Czechia</option><option value="Denmark">Denmark</option><option value="Djibouti">Djibouti</option><option value="Dominica">Dominica</option><option value="Dominican Republic">Dominican Republic</option><option value="East Timor (Timor-Leste)">East Timor (Timor-Leste)</option><option value="Ecuador">Ecuador</option><option value="Egypt">Egypt</option><option value="El Salvador">El Salvador</option><option value="Equatorial Guinea">Equatorial Guinea</option><option value="Eritrea">Eritrea</option><option value="Estonia">Estonia</option><option value="Ethiopia">Ethiopia</option><option value="Fiji">Fiji</option><option value="Finland">Finland</option><option value="France">France</option><option value="Gabon">Gabon</option><option value="Gambia">Gambia</option><option value="Georgia">Georgia</option><option value="Germany">Germany</option><option value="Ghana">Ghana</option><option value="Gibraltar">Gibraltar</option><option value="Greece">Greece</option><option value="Grenada">Grenada</option><option value="Guatemala">Guatemala</option><option value="Guinea">Guinea</option><option value="Guinea-Bissau">Guinea-Bissau</option><option value="Guyana">Guyana</option><option value="Haiti">Haiti</option><option value="Honduras">Honduras</option><option value="Hong Kong">Hong Kong</option><option value="Hungary">Hungary</option><option value="Iceland">Iceland</option><option value="India">India</option><option value="Indonesia">Indonesia</option><option value="Iran, Islamic Republic of">Iran, Islamic Republic of</option><option value="Iraq">Iraq</option><option value="Ireland">Ireland</option><option value="Israel">Israel</option><option value="Italy">Italy</option><option value="Ivory Coast">Ivory Coast</option><option value="Jamaica">Jamaica</option><option value="Japan">Japan</option><option value="Jordan">Jordan</option><option value="Kazakhstan">Kazakhstan</option><option value="Kenya">Kenya</option><option value="Kiribati">Kiribati</option><option value="Korea, Democratic People&#039;s Republic of(North Korea)">Korea, Democratic People&#039;s Republic of(North Korea)</option><option value="Korea, Republic of">Korea, Republic of</option><option value="Kosovo">Kosovo</option><option value="Kuwait">Kuwait</option><option value="Kyrgyzstan">Kyrgyzstan</option><option value="Lao People&#039;s Democratic Republic">Lao People&#039;s Democratic Republic</option><option value="Latvia">Latvia</option><option value="Lebanon">Lebanon</option><option value="Lesotho">Lesotho</option><option value="Liberia">Liberia</option><option value="Libya">Libya</option><option value="Liechtenstein">Liechtenstein</option><option value="Lithuania">Lithuania</option><option value="Luxembourg">Luxembourg</option><option value="Macau">Macau</option><option value="Macedonia, Rep. of">Macedonia, Rep. of</option><option value="Madagascar">Madagascar</option><option value="Malawi">Malawi</option><option value="Malaysia">Malaysia</option><option value="Maldives">Maldives</option><option value="Mali">Mali</option><option value="Malta">Malta</option><option value="Marshall Islands">Marshall Islands</option><option value="Mauritania">Mauritania</option><option value="Mauritius">Mauritius</option><option value="Mexico">Mexico</option><option value="Micronesia, Federal States of">Micronesia, Federal States of</option><option value="Moldova, Republic of">Moldova, Republic of</option><option value="Monaco">Monaco</option><option value="Mongolia">Mongolia</option><option value="Montenegro">Montenegro</option><option value="Morocco">Morocco</option><option value="Mozambique">Mozambique</option><option value="Myanmar, Burma">Myanmar, Burma</option><option value="Namibia">Namibia</option><option value="Nauru">Nauru</option><option value="Nepal">Nepal</option><option value="Netherlands">Netherlands</option><option value="New Caledonia">New Caledonia</option><option value="New Zealand">New Zealand</option><option value="Nicaragua">Nicaragua</option><option value="Niger">Niger</option><option value="Nigeria">Nigeria</option><option value="Norway">Norway</option><option value="Oman">Oman</option><option value="Pakistan">Pakistan</option><option value="Palau">Palau</option><option value="Palestinian territories">Palestinian territories</option><option value="Panama">Panama</option><option value="Papua New Guinea">Papua New Guinea</option><option value="Paraguay">Paraguay</option><option value="Peru">Peru</option><option value="Philippines">Philippines</option><option value="Poland">Poland</option><option value="Portugal">Portugal</option><option value="Puerto Rico">Puerto Rico</option><option value="Qatar">Qatar</option><option value="Romania">Romania</option><option value="Russian Federation">Russian Federation</option><option value="Rwanda">Rwanda</option><option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option><option value="Saint Lucia">Saint Lucia</option><option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option><option value="Samoa">Samoa</option><option value="San Marino">San Marino</option><option value="Sao Tome and Principe">Sao Tome and Principe</option><option value="Saudi Arabia">Saudi Arabia</option><option value="Senegal">Senegal</option><option value="Serbia">Serbia</option><option value="Seychelles">Seychelles</option><option value="Sierra Leone">Sierra Leone</option><option value="Singapore">Singapore</option><option value="Slovakia">Slovakia</option><option value="Slovenia">Slovenia</option><option value="Solomon Islands">Solomon Islands</option><option value="Somalia">Somalia</option><option value="South Africa">South Africa</option><option value="South Sudan">South Sudan</option><option value="Spain">Spain</option><option value="Sri Lanka">Sri Lanka</option><option value="Sudan">Sudan</option><option value="Suriname">Suriname</option><option value="Swaziland">Swaziland</option><option value="Sweden">Sweden</option><option value="Switzerland">Switzerland</option><option value="Syria, Syrian Arab Republic">Syria, Syrian Arab Republic</option><option value="Taiwan">Taiwan</option><option value="Tajikistan">Tajikistan</option><option value="Tanzania; officially the United Republic of Tanzania">Tanzania; officially the United Republic of Tanzania</option><option value="Thailand">Thailand</option><option value="Tibet">Tibet</option><option value="Togo">Togo</option><option value="Tonga">Tonga</option><option value="Trinidad and Tobago">Trinidad and Tobago</option><option value="Tunisia">Tunisia</option><option value="Turkey">Turkey</option><option value="Turkmenistan">Turkmenistan</option><option value="Tuvalu">Tuvalu</option><option value="Uganda">Uganda</option><option value="Ukraine">Ukraine</option><option value="United Arab Emirates">United Arab Emirates</option><option value="United Kingdom">United Kingdom</option><option value="Uruguay">Uruguay</option><option value="Uzbekistan">Uzbekistan</option><option value="Vanuatu">Vanuatu</option><option value="Vatican City State (Holy See)">Vatican City State (Holy See)</option><option value="Venezuela">Venezuela</option><option value="Viet Nam">Viet Nam</option><option value="Yemen">Yemen</option><option value="Zambia">Zambia</option><option value="Zimbabwe">Zimbabwe</option></select></span></p>
<div data-id="group-570" data-orig_data_id="group-570" data-clear_on_hide data-class="wpcf7cf_group">
 <span class="wpcf7-form-control-wrap mx_State"><select name="mx_State" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Select State</option><option value="Alabama">Alabama</option><option value="Alaska">Alaska</option><option value="American Samoa">American Samoa</option><option value="Arizona">Arizona</option><option value="Arkansas">Arkansas</option><option value="California">California</option><option value="Colorado">Colorado</option><option value="Connecticut">Connecticut</option><option value="Delaware">Delaware</option><option value="District of Columbia">District of Columbia</option><option value="Florida">Florida</option><option value="Georgia">Georgia</option><option value="Guam">Guam</option><option value="Hawaii">Hawaii</option><option value="Idaho">Idaho</option><option value="Illinois">Illinois</option><option value="Indiana">Indiana</option><option value="Iowa">Iowa</option><option value="Kansas">Kansas</option><option value="Kentucky">Kentucky</option><option value="Louisiana">Louisiana</option><option value="Maine">Maine</option><option value="Maryland">Maryland</option><option value="Massachusetts">Massachusetts</option><option value="Michigan">Michigan</option><option value="Minnesota">Minnesota</option><option value="Mississippi">Mississippi</option><option value="Missouri">Missouri</option><option value="Montana">Montana</option><option value="Nebraska">Nebraska</option><option value="Nevada">Nevada</option><option value="New Hampshire">New Hampshire</option><option value="New Jersey">New Jersey</option><option value="New Mexico">New Mexico</option><option value="New York">New York</option><option value="North Carolina">North Carolina</option><option value="North Dakota">North Dakota</option><option value="Northern Mariana Islands">Northern Mariana Islands</option><option value="Ohio">Ohio</option><option value="Oklahoma">Oklahoma</option><option value="Oregon">Oregon</option><option value="Pennsylvania">Pennsylvania</option><option value="Puerto Rico">Puerto Rico</option><option value="Rhode Island">Rhode Island</option><option value="South Carolina">South Carolina</option><option value="South Dakota">South Dakota</option><option value="Tennessee">Tennessee</option><option value="Texas">Texas</option><option value="United States Minor Outlying Islands">United States Minor Outlying Islands</option><option value="Utah">Utah</option><option value="Vermont">Vermont</option><option value="Virgin Islands">Virgin Islands</option><option value="Virginia">Virginia</option><option value="Washington">Washington</option><option value="West Virginia">West Virginia</option><option value="Wisconsin">Wisconsin</option><option value="Wyoming">Wyoming</option></select></span>
</div>
</div>
<input type="hidden" name="form-title" value="" class="wpcf7-form-control wpcf7-hidden form-title" />
<div class="cf-field cf-submit">
<input type="submit" value="Subscribe" class="wpcf7-form-control has-spinner wpcf7-submit btn btn-primary" />
</div>
<p style="display: none !important;"><label>&#916;<textarea name="_wpcf7_ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js" name="_wpcf7_ak_js" value="243"/><script>document.getElementById( "ak_js" ).setAttribute( "value", ( new Date() ).getTime() );</script></p><div class="wpcf7-response-output" aria-hidden="true"></div></form></div><div class="btn-sub-show"><a href="javascript:void(0)" class="btn btn-prim dodger">Subscribe to Our Blog</a></div><div class="side-blog-btn"><div>Join our free community</div><a href="/get-started/" class="btn btn-prim dodger">Get started</a></div><div class="side-blog-share"">Share Article<div class="a2a_kit a2a_kit_size_ addtoany_list" data-a2a-url="https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/" data-a2a-title="EvilGnome: Rare Malware Spying on Linux Desktop Users"><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Fevilgnome-rare-malware-spying-on-linux-desktop-users%2F&amp;linkname=EvilGnome%3A%20Rare%20Malware%20Spying%20on%20Linux%20Desktop%20Users" title="Facebook" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/facebook.png" alt="Facebook"></a><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Fevilgnome-rare-malware-spying-on-linux-desktop-users%2F&amp;linkname=EvilGnome%3A%20Rare%20Malware%20Spying%20on%20Linux%20Desktop%20Users" title="Twitter" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/twitter.png" alt="Twitter"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Fevilgnome-rare-malware-spying-on-linux-desktop-users%2F&amp;linkname=EvilGnome%3A%20Rare%20Malware%20Spying%20on%20Linux%20Desktop%20Users" title="LinkedIn" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/linkedin.png" alt="LinkedIn"></a></div></div>        <div class="top-posts">
            <h3>Top Blogs</h3>
            <div class="top-posts-cont owl-carousel"  id="owlposts" >
                    	    <div class="related-single item">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/malware-analysis/the-role-of-malware-analysis-in-cybersecurity/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/11/mwrpic-253x139.png" alt="The Role of Malware Analysis in Cybersecurity" class="post-thumb" /></a>                    </span>
					                   
                    <h4>
                        <a href="https://www.intezer.com/blog/malware-analysis/the-role-of-malware-analysis-in-cybersecurity/">The Role of Malware Analysis in Cybersecurity</a>
                    </h4>
					
						
				                    <span class="post-excerpt">Threat actors use malicious software to cause damage to individuals and organizations. Malware is...</span>	
                    <a href="https://www.intezer.com/blog/malware-analysis/the-role-of-malware-analysis-in-cybersecurity/" class="top-more">Read more</a>
        		</div>
        	        	    <div class="related-single item">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/malware-analysis/save-incident-response-time-intezer-analyze/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/08/BlogImage1024x475-2-253x139.png" alt="Save Incident Response Time" class="post-thumb" /></a>                    </span>
					                   
                    <h4>
                        <a href="https://www.intezer.com/blog/malware-analysis/save-incident-response-time-intezer-analyze/">Save Incident Response Time</a>
                    </h4>
					
						
				                    <span class="post-excerpt">When there is suspicious activity on an endpoint, the incident response team is responsible...</span>	
                    <a href="https://www.intezer.com/blog/malware-analysis/save-incident-response-time-intezer-analyze/" class="top-more">Read more</a>
        		</div>
        	        	    <div class="related-single item">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/malware-analysis/all-your-go-binaries-are-belong-to-us/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/GoReport_Twitter_1024x475_v3-253x139.png" alt="All Your Go Binaries are Belong to Us" class="post-thumb" /></a>                    </span>
					                   
                    <h4>
                        <a href="https://www.intezer.com/blog/malware-analysis/all-your-go-binaries-are-belong-to-us/">All Your Go Binaries are Belong to Us</a>
                    </h4>
					
						
				                    <span class="post-excerpt">The skillset of performing binary analysis may to some appear to be limited to...</span>	
                    <a href="https://www.intezer.com/blog/malware-analysis/all-your-go-binaries-are-belong-to-us/" class="top-more">Read more</a>
        		</div>
        	            </div>
        </div>
<link rel="stylesheet" href="/wp-content/themes/intezer-v2/css/owl.carousel.min.css">

<script type="text/javascript" src="/wp-content/themes/intezer-v2/js/owl.carousel.min.js"></script>
 <script type="text/javascript">

     $(document).ready(function() {
	 
  $("#owlposts").owlCarousel({
            items: 1,
            loop: true,
            nav: flase,
	  dots: true,
            center: true,
            margin: 0,
            rewind: false,
            autoplay: true,
            autoplayTimeout: 6000,
	  animateIn: 'fadeIn',
              animateOut: 'fadeOut',
      responsive:{
        0:{
            items:1
        },
        600:{
            items:1
        }
      },
      onInitialized:setDots,
      onChanged:setDots

        });
		 });




			       
	</script>
</div></div><div class="col-md-9 blog-main"><div class="single-post-content"><p><strong>Introduction</strong></p>
<p>Linux desktop remains an unpopular choice among mainstream desktop users, making up a little more than <a href="https://netmarketshare.com/operating-system-market-share.aspx?options=%7B%22filter%22%3A%7B%22%24and%22%3A%5B%7B%22deviceType%22%3A%7B%22%24in%22%3A%5B%22Desktop%2Flaptop%22%5D%7D%7D%5D%7D%2C%22dateLabel%22%3A%22Trend%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22platform%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22platformsDesktop%22%2C%22dateInterval%22%3A%22Monthly%22%2C%22dateStart%22%3A%222018-07%22%2C%22dateEnd%22%3A%222019-06%22%2C%22segments%22%3A%22-1000%22%7D" target="_blank" rel="noopener nofollow noreferrer">2%</a> of the desktop operating system market share. This is in contrast to the web server market share, which consists of <a href="https://w3techs.com/technologies/overview/operating_system/all" target="_blank" rel="noopener nofollow noreferrer">70%</a> of Linux-based operating systems. Consequently, the Linux malware ecosystem is plagued by financial driven crypto-miners and DDoS botnet tools which mostly target vulnerable servers.</p>
<p>This explains our surprise when in the beginning of July, we discovered a new, fully undetected <strong>Linux backdoor implant</strong>, containing rarely seen functionalities with regards to Linux malware, targeting desktop users.</p>
<p>Throughout our investigation, we have found evidence that shows operational similarities between this implant and <strong>Gamaredon Group</strong>. We have investigated this connection and in this blog we will present a technical analysis of the tool.</p>
<p>We have named the implant <strong>EvilGnome</strong>,<strong> </strong>for its disguise as a Gnome extension. The malware is currently fully undetected across all major security solutions:</p>
<p><img loading="lazy" width="1150" height="193" class="wp-image-5211 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-27.png" alt="pasted image 0 27" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-27.png 1150w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-27-300x50.png 300w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-27-1024x172.png 1024w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-27-768x129.png 768w" data-lazy-sizes="(max-width: 1150px) 100vw, 1150px" data-lazy-src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-27.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1150" height="193" class="wp-image-5211" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-27.png" alt="pasted image 0 27" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-27.png 1150w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-27-300x50.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-27-1024x172.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-27-768x129.png 768w " sizes="(max-width: 1150px) 100vw, 1150px" /></noscript><br />
Figure 1: VirusTotal detections of an EvilGnome sample</p>
<p>We believe this is a test version that was uploaded to VirusTotal, perhaps by mistake. The implant contains an unfinished keylogger functionality, comments, symbol names and compilation metadata which typically do not appear in production versions. EvilGnome’s functionalities include desktop screenshots, file stealing, allowing capturing audio recording from the user’s microphone and the ability to download and execute further modules.</p>
<p><strong>Gamaredon Group Connection</strong></p>
<p><a href="https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/" target="_blank" rel="noopener nofollow noreferrer">Gamaredon Group</a> is an alleged Russian threat group. It has been active since at least 2013, and has targeted individuals likely involved with the Ukrainian government. Gamaredon Group infects victims using malicious attachments, delivered via spear phishing techniques. The group’s implants are characterized by the employment of information stealing tools—among them being screenshot and document stealers delivered via a SFX, and made to achieve persistence through a scheduled task. Gamaredon Group primarily makes use of Russian hosting providers in order to distribute its malware.</p>
<p>Our investigation into EvilGnome yielded several similarities between the threat actors behind EvilGnome and Gamaredon Group:</p>
<p><strong>Hosting Similarities</strong></p>
<p>The operators of EvilGnome use a hosting provider that has been used by Gamaredon Group for years, and continues to be used by the group.</p>
<p>More specifically, EvilGnome’s C2 IP address (<strong>195.62.52.101</strong>) was resolved two months ago by the domains <strong>gamework.ddns.net</strong> and <strong>workan.ddns.net</strong>, <a href="https://x.threatbook.cn/nodev4/vb4/article?threatInfoID=1417" target="_blank" rel="noopener nofollow noreferrer">associated</a> with the Gamaredon Group:</p>
<p><img loading="lazy" width="1371" height="541" class="wp-image-5205 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-21.png" alt="pasted image 0 21" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-21.png 1371w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-21-300x118.png 300w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-21-1024x404.png 1024w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-21-768x303.png 768w" data-lazy-sizes="(max-width: 1371px) 100vw, 1371px" data-lazy-src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-21.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1371" height="541" class="wp-image-5205" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-21.png" alt="pasted image 0 21" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-21.png 1371w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-21-300x118.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-21-1024x404.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-21-768x303.png 768w " sizes="(max-width: 1371px) 100vw, 1371px" /></noscript><br />
Figure 2: RiskIQ EvilGnome C2 IP query</p>
<p>We used <a href="https://community.riskiq.com/search/gamework.ddns.net" target="_blank" rel="noopener nofollow noreferrer">RiskIQ</a> to map the history of the <strong>gamework.ddns.net</strong> domain:</p>
<p><img loading="lazy" width="968" height="359" class="wp-image-5208 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-24.png" alt="pasted image 0 24" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-24.png 968w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-24-300x111.png 300w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-24-768x285.png 768w" data-lazy-sizes="(max-width: 968px) 100vw, 968px" data-lazy-src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-24.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="968" height="359" class="wp-image-5208" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-24.png" alt="pasted image 0 24" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-24.png 968w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-24-300x111.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-24-768x285.png 768w " sizes="(max-width: 968px) 100vw, 968px" /></noscript><br />
Figure 3: gamework.ddns.net DNS timeline</p>
<p>The finding shows that EvilGnome operates on an IP address that was controlled by the Gamaredon group two months ago.</p>
<p><strong>Infrastructure Similarities</strong></p>
<p>While investigating the EvilGnome C2, we observed that it served SSH over port 3436.</p>
<p>We then checked for the 3436 port over three currently operating Gamaredon Group C2 servers, and found one server with this port open, serving SSH:</p>
<p><img loading="lazy" width="552" height="237" class="wp-image-5217 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-33.png" alt="pasted image 0 33" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-33.png 552w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-33-300x129.png 300w" data-lazy-sizes="(max-width: 552px) 100vw, 552px" data-lazy-src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-33.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="552" height="237" class="wp-image-5217" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-33.png" alt="pasted image 0 33" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-33.png 552w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-33-300x129.png 300w " sizes="(max-width: 552px) 100vw, 552px" /></noscript><br />
Figure 4: SSH served on port 3436 both on EvilGnome C2 and Gamaredon’s rnbo-ua.ddns.net</p>
<p>We proceeded to scan for this network fingerprint under EvilGnome’s host provider and we identified two additional servers with domain names similar to the naming pattern of Gamaredon domains (the use of the .space TTLD and ddns):</p>
<ul>
<li>185.158.115.44 -&gt; <a href="https://community.riskiq.com/search/kotl.space" target="_blank" rel="noopener nofollow noreferrer">kotl.space</a></li>
<li>185.158.115.154 -&gt; <a href="https://community.riskiq.com/search/clsass.ddns.net" target="_blank" rel="noopener nofollow noreferrer">clsass.ddns.net</a></li>
</ul>
<p><strong>Tool Similarities</strong></p>
<p>Gamaredon Group does not use any known Linux implants. It is difficult to make comparisons between tools built for different operating systems because they are developed with different challenges and objectives in mind. We can, however, observe similarities at a high-level. The techniques and modules employed by EvilGnome—that is the use of SFX, persistence with task scheduler and the deployment of information stealing tools—remind us of Gamaredon Group’s Windows tools. We present a thorough analysis of EvilGnome in the following section.</p>
<p><strong>Technical Analysis</strong></p>
<p><strong>Deployment with Makeself SFX<br />
</strong></p>
<p>This implant is delivered in the form of a self-extracting archive shell script created with <a href="https://github.com/megastep/makeself" target="_blank" rel="noopener nofollow noreferrer">makeself</a>:</p>
<ul>
<li>&#8220;<a href="https://makeself.io/" target="_blank" rel="noopener nofollow noreferrer">makeself.sh</a> is a small shell script that generates a self-extractable compressed tar archive from a directory. The resulting file appears as a shell script (many of those have a <strong>.run</strong> suffix), and can be launched as is. The archive will then uncompress itself to a temporary directory and an optional arbitrary command will be executed (for example an installation script). This is pretty similar to archives generated with WinZip Self-Extractor in the Windows world.&#8221;</li>
</ul>
<p>Interestingly, the tool’s operator did not omit metadata from the generated makeself SFX. The packaging date, development paths and the tool’s filename were all left exposed. We can observe that the sample is very recent, created on Thursday, July 4:</p>
<p><img loading="lazy" width="956" height="284" class="wp-image-5221 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/makeself.png" alt="makeself" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/makeself.png 956w, https://www.intezer.com/wp-content/uploads/2019/07/makeself-300x89.png 300w, https://www.intezer.com/wp-content/uploads/2019/07/makeself-768x228.png 768w" data-lazy-sizes="(max-width: 956px) 100vw, 956px" data-lazy-src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/makeself.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="956" height="284" class="wp-image-5221" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/makeself.png" alt="makeself" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/makeself.png 956w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/makeself-300x89.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/makeself-768x228.png 768w " sizes="(max-width: 956px) 100vw, 956px" /></noscript></p>
<p><img loading="lazy" width="630" height="124" class="wp-image-5215 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-31.png" alt="pasted image 0 31" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-31.png 630w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-31-300x59.png 300w" data-lazy-sizes="(max-width: 630px) 100vw, 630px" data-lazy-src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-31.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="630" height="124" class="wp-image-5215" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-31.png" alt="pasted image 0 31" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-31.png 630w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-31-300x59.png 300w " sizes="(max-width: 630px) 100vw, 630px" /></noscript><br />
Figure 5: Makeself packaging metadata and the archived files’ metadata</p>
<p>As can be observed in the illustration above, the makeself script is instructed to run <em>./setup.sh </em>after unpacking.</p>
<p>Using <em>makeself</em>’s options, we are able to instruct the script to unpack itself without executing:</p>
<p><img loading="lazy" width="546" height="124" class="wp-image-5212 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-28.png" alt="pasted image 0 28" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-28.png 546w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-28-300x68.png 300w" data-lazy-sizes="(max-width: 546px) 100vw, 546px" data-lazy-src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-28.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="546" height="124" class="wp-image-5212" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-28.png" alt="pasted image 0 28" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-28.png 546w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-28-300x68.png 300w " sizes="(max-width: 546px) 100vw, 546px" /></noscript><br />
Figure 6: Unpacking Makeself</p>
<p>The archive contains four files:</p>
<ol>
<li><strong>gnome-shell-ext</strong> &#8211; the spy agent executable</li>
<li><strong>gnome-shell-ext.sh</strong> &#8211; checks if <em>gnome-shell-ext</em> is already running and if not, executes it</li>
<li><strong>rtp.dat</strong><em> </em>&#8211; configuration file for <em>gnome-shell-ext</em></li>
<li><strong>setup.sh</strong> &#8211; the setup script that is run by makeself after unpacking</li>
</ol>
<p>The setup script installs the agent to <strong>~/.cache/gnome-software/gnome-shell-extensions/,</strong> in an attempt to masquerade itself as a Gnome shell extension. Gnome shell extensions allow tweaking the Gnome desktop and add functionalities. They are the desktop equivalent to browser extensions.</p>
<p>Persistence is achieved by registering <em>gnome-shell-ext.sh</em> to run every minute in crontab.</p>
<p>Finally, the script executes <em>gnome-shell-ext.sh</em>, which in turn launches the main executable <em>gnome-shell-ext:</em></p>
<p><img loading="lazy" width="518" height="58" class="wp-image-5222 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-36.png" alt="pasted image 0 36" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-36.png 518w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-36-300x34.png 300w" data-lazy-sizes="(max-width: 518px) 100vw, 518px" data-lazy-src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-36.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="518" height="58" class="wp-image-5222" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-36.png" alt="pasted image 0 36" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-36.png 518w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-36-300x34.png 300w " sizes="(max-width: 518px) 100vw, 518px" /></noscript></p>
<p><img loading="lazy" width="681" height="144" class="wp-image-5214 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-30.png" alt="pasted image 0 30" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-30.png 681w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-30-300x63.png 300w" data-lazy-sizes="(max-width: 681px) 100vw, 681px" data-lazy-src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-30.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="681" height="144" class="wp-image-5214" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-30.png" alt="pasted image 0 30" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-30.png 681w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-30-300x63.png 300w " sizes="(max-width: 681px) 100vw, 681px" /></noscript><br />
Figure 7: setup.sh</p>
<p><strong>The Spy Agent</strong></p>
<p>Analyzing the agent with Intezer Analyze demonstrated to us that the code was never seen before by the system:</p>
<p><img loading="lazy" width="1600" height="486" class="wp-image-5218 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-34.png" alt="pasted image 0 34" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-34.png 1600w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-34-300x91.png 300w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-34-1024x311.png 1024w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-34-768x233.png 768w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-34-1536x467.png 1536w" data-lazy-sizes="(max-width: 1600px) 100vw, 1600px" data-lazy-src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-34.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1600" height="486" class="wp-image-5218" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-34.png" alt="pasted image 0 34" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-34.png 1600w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-34-300x91.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-34-1024x311.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-34-768x233.png 768w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-34-1536x467.png 1536w " sizes="(max-width: 1600px) 100vw, 1600px" /></noscript><br />
Figure 8: <a href="https://analyze.intezer.com/#/analyses/8db39fae-8f82-42b2-9816-b353a7dbb16b" target="_blank" rel="noopener noreferrer">Intezer Analyze report of the Spy Agent sample</a></p>
<p>This large amount of unique genes located within this file is not a trend we regularly see in Linux files and therefore it seems suspicious.</p>
<p>The Spy Agent was built in C++, using classes with an object oriented structure. The binary was not stripped, which allowed us to read symbols and understand the developer’s intentions.</p>
<p>At launch, the agent forks to run in a new process. The agent then reads the <em>rtp.dat</em> configuration file and loads it directly into memory:</p>
<p><img loading="lazy" width="552" height="144" class="wp-image-5216 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-32.png" alt="pasted image 0 32" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-32.png 552w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-32-300x78.png 300w" data-lazy-sizes="(max-width: 552px) 100vw, 552px" data-lazy-src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-32.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="552" height="144" class="wp-image-5216" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-32.png" alt="pasted image 0 32" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-32.png 552w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-32-300x78.png 300w " sizes="(max-width: 552px) 100vw, 552px" /></noscript><br />
Figure 9: Loading configuration from rtp.dat</p>
<p>We marked interesting fields within the configuration file:</p>
<p><img loading="lazy" width="679" height="243" class="wp-image-5220 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/rtpdat2.png" alt="rtpdat2" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/rtpdat2.png 679w, https://www.intezer.com/wp-content/uploads/2019/07/rtpdat2-300x107.png 300w" data-lazy-sizes="(max-width: 679px) 100vw, 679px" data-lazy-src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/rtpdat2.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="679" height="243" class="wp-image-5220" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/rtpdat2.png" alt="rtpdat2" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/rtpdat2.png 679w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/rtpdat2-300x107.png 300w " sizes="(max-width: 679px) 100vw, 679px" /></noscript><br />
Figure 10: Configuration dissection</p>
<p>The first four bytes are a hexadecimal representation of the C2’s IP address:</p>
<p>0x65343ec3 -&gt;  0xc3.0x3e.0x34.0x65 -&gt; 195.62.52.101</p>
<p><strong>Modules</strong></p>
<p>The spy agent contains five modules called “Shooters”:</p>
<p><img loading="lazy" width="379" height="152" class="wp-image-5219 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-35.png" alt="pasted image 0 35" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-35.png 379w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-35-300x120.png 300w" data-lazy-sizes="(max-width: 379px) 100vw, 379px" data-lazy-src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-35.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="379" height="152" class="wp-image-5219" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-35.png" alt="pasted image 0 35" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-35.png 379w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-35-300x120.png 300w " sizes="(max-width: 379px) 100vw, 379px" /></noscript><br />
Figure 11: “Shooter” modules</p>
<p><strong>ShooterSound</strong> &#8211; captures audio from the user’s microphone and uploads to C2</p>
<p><strong>ShooterImage</strong> &#8211; captures screenshots and uploads to C2</p>
<p><strong>ShooterFile </strong>&#8211; scans the file system for newly created files and uploads them to C2</p>
<p><strong>ShooterPing </strong>&#8211; receives new commands from C2</p>
<p><strong>ShooterKey </strong>&#8211; unimplemented and unused, most likely an unfinished keylogging module</p>
<p>Each module is run in a separate thread, and access to shared resources (such as the configuration) is safeguarded by mutexes.</p>
<p>The modules encrypt their output and decrypt data from the C2 with RC5 with the key “<em>sdg62_AS.sa$die3”</em>, using a modified version of a Russian open source library <a href="https://webhamster.ru/site/page/index/articles/projectcode/157" target="_blank" rel="noopener nofollow noreferrer">https://webhamster.ru/site/page/index/articles/projectcode/157</a>:</p>
<p><img loading="lazy" width="620" height="269" class="wp-image-5203 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-19.png" alt="pasted image 0 19" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-19.png 620w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-19-300x130.png 300w" data-lazy-sizes="(max-width: 620px) 100vw, 620px" data-lazy-src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-19.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="620" height="269" class="wp-image-5203" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-19.png" alt="pasted image 0 19" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-19.png 620w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-19-300x130.png 300w " sizes="(max-width: 620px) 100vw, 620px" /></noscript><br />
Figure 12: RC5 library</p>
<p>On connection failure, or if instructed by the C2, these modules store their output at <strong>~/.cache/gnome-software/gnome-shell-extensions/tmp/:</strong></p>
<p><img loading="lazy" width="1090" height="254" class="wp-image-5207 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-23.png" alt="pasted image 0 23" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-23.png 1090w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-23-300x70.png 300w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-23-1024x239.png 1024w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-23-768x179.png 768w" data-lazy-sizes="(max-width: 1090px) 100vw, 1090px" data-lazy-src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-23.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1090" height="254" class="wp-image-5207" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-23.png" alt="pasted image 0 23" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-23.png 1090w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-23-300x70.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-23-1024x239.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-23-768x179.png 768w " sizes="(max-width: 1090px) 100vw, 1090px" /></noscript></p>
<p>Figure 13: Stored files</p>
<p>We will now dive into each of the five modules and their options:</p>
<p><strong>ShooterPing</strong></p>
<p>The ShooterPing module processes commands received from the C2:</p>
<p><img loading="lazy" width="261" height="121" class="wp-image-5213 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-29.png" alt="pasted image 0 29" data-lazy-src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-29.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="261" height="121" class="wp-image-5213" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-29.png" alt="pasted image 0 29" /></noscript><br />
Figure 14: C2 commands</p>
<p>These include:</p>
<ul>
<li>Download &amp; execute new files</li>
<li>Set new filters for file scanning</li>
<li>Download &amp; set new runtime configuration</li>
<li>Exfiltrate stored output to C2</li>
<li>Stop the shooter modules from running</li>
</ul>
<p>The other modules run at a constant interval between each run, as defined by one of the configuration parameters. The C2 is able to control this interval via downloading new parameters through ShooterPing.</p>
<p><strong>ShooterFile</strong></p>
<p>The ShooterFile module uses a filter list to scan the filesystem, while ignoring specific files and folders as shown in the following illustration:</p>
<p><img loading="lazy" width="678" height="532" class="wp-image-5209 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-25.png" alt="pasted image 0 25" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-25.png 678w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-25-300x235.png 300w" data-lazy-sizes="(max-width: 678px) 100vw, 678px" data-lazy-src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-25.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="678" height="532" class="wp-image-5209" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-25.png" alt="pasted image 0 25" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-25.png 678w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-25-300x235.png 300w " sizes="(max-width: 678px) 100vw, 678px" /></noscript><br />
Figure 15: File scanning filter</p>
<p>We can see from the filter_accepted_files list that the agent’s purpose is to steal document related files. However, the list is not used by the malware and further indicates that this is a work in progress.</p>
<p><strong>ShooterAudio</strong></p>
<p><img loading="lazy" width="504" height="172" class="wp-image-5210 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-26.png" alt="pasted image 0 26" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-26.png 504w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-26-300x102.png 300w" data-lazy-sizes="(max-width: 504px) 100vw, 504px" data-lazy-src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-26.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="504" height="172" class="wp-image-5210" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-26.png" alt="pasted image 0 26" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-26.png 504w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-26-300x102.png 300w " sizes="(max-width: 504px) 100vw, 504px" /></noscript><br />
Figure 16: Capturing audio with PulseAudio</p>
<p>The ShooterAudio module uses PulseAudio to capture audio from the user’s microphone.</p>
<p>Using default configuration from rtp.dat, the module records only a size of 80,000 bytes of audio per iteration. Consequently, the module only records audio for a brief moment, making this module non-functional until a larger recording size is set by the C2.</p>
<p><strong>ShooterImage</strong></p>
<p>This module opens a connection to the XOrg Display Server, which is the backend to the Gnome desktop. It uses the Cairo open source library to take screenshots of the user’s desktop.</p>
<p><img loading="lazy" width="721" height="309" class="wp-image-5204 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-20.png" alt="pasted image 0 20" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-20.png 721w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-20-300x129.png 300w" data-lazy-sizes="(max-width: 721px) 100vw, 721px" data-lazy-src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-20.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="721" height="309" class="wp-image-5204" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-20.png" alt="pasted image 0 20" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-20.png 721w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-20-300x129.png 300w " sizes="(max-width: 721px) 100vw, 721px" /></noscript><br />
Figure 17: Screenshot capturing using XOrg Server</p>
<p><strong>Prevention and Response</strong></p>
<p>We recommend to Linux users who want to check whether they are infected to check the “~/.cache/gnome-software/gnome-shell-extensions” directory for the “gnome-shell-ext” executable. We have also created a custom<a href="https://github.com/intezer/yara-rules/blob/master/QNAPCrypt.yar" target="_blank" rel="noopener nofollow noreferrer"> </a><a href="https://github.com/intezer/yara-rules/blob/master/EvilGnome.yar" target="_blank" rel="noopener nofollow noreferrer">YARA rule</a>, based on code reuse technology, for detecting future variants of EvilGnome.</p>
<p><strong>Conclusion</strong></p>
<p>EvilGnome is a rare type of malware due to its appetite for Linux desktop users. Throughout this post, we have presented detailed infrastructure-related evidence to connect EvilGnome to the actors behind the Gamaredon Group. We believe this is a premature test version. We anticipate newer versions to be discovered and reviewed in the future, which could potentially shed more light into the group’s operations.</p>
<p><strong>Genetic Analysis</strong></p>
<p>The EvilGnome malware variant is now indexed in Intezer’s genetic database. If you have a suspicious file that you suspect to be EvilGnome, you can upload it to Intezer Analyze in order to detect code reuse to this threat family and many others. You are welcome to<a href="https://analyze.intezer.com/#/" target="_blank" rel="noopener noreferrer"> </a><a href="https://analyze.intezer.com/#/" target="_blank" rel="noopener noreferrer">try it for free in our community edition</a>.</p>
<p><img loading="lazy" width="1322" height="511" class="wp-image-5206 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-22.png" alt="pasted image 0 22" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-22.png 1322w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-22-300x116.png 300w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-22-1024x396.png 1024w, https://www.intezer.com/wp-content/uploads/2019/07/pasted-image-0-22-768x297.png 768w" data-lazy-sizes="(max-width: 1322px) 100vw, 1322px" data-lazy-src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-22.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1322" height="511" class="wp-image-5206" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/07/pasted-image-0-22.png" alt="pasted image 0 22" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-22.png 1322w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-22-300x116.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-22-1024x396.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/07/pasted-image-0-22-768x297.png 768w " sizes="(max-width: 1322px) 100vw, 1322px" /></noscript><br />
Figure 18: <a href="https://analyze.intezer.com/#/analyses/eeec2273-82ac-4190-b434-8ffb304deeef" target="_blank" rel="noopener noreferrer">Intezer Analyze report of the Spy Agent sample</a></p>
<p><strong>IOCs</strong></p>
<p><strong>EvilGnome</strong>:</p>
<p>a21acbe7ee77c721f1adc76e7a7799c936e74348d32b4c38f3bf6357ed7e8032</p>
<p>82b69954410c83315dfe769eed4b6cfc7d11f0f62e26ff546542e35dcd7106b7</p>
<p>7ffab36b2fa68d0708c82f01a70c8d10614ca742d838b69007f5104337a4b869</p>
<p>195.62.52[.]101</p>
<p><strong>Gamaredon Group:</strong></p>
<p>185.158.115[.]44</p>
<p>185.158.115[.]154</p>
<p>clsass.ddns[.]net</p>
<p>kotl[.]space</p>
<div class="author-box-bottom clearfix"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/01/Paul-60x60.png" class="user-photo"><div class="user-bio"><strong> Paul Litvak</strong><div class="share-author"><a href="https://twitter.com/polarply" target="_blank" class="twitter-link"><i class="fa fa-twitter" aria-hidden="true"></i></a><a href="https://il.linkedin.com/in/paul-litvak-7b35a7133" target="_blank" class="linkedin-link"><i class="fa fa-linkedin" aria-hidden="true"></i></a></div><p>Paul is a malware analyst and reverse engineer at Intezer. He previously served as a developer in the Israel Defense Force (IDF) Intelligence Corps for three years.</p></div></div><div class="post-tags"> <a href="https://www.intezer.com/tag/apt/" rel="tag">APT</a> <a href="https://www.intezer.com/tag/backdoor/" rel="tag">backdoor</a> <a href="https://www.intezer.com/tag/desktop/" rel="tag">Desktop</a> <a href="https://www.intezer.com/tag/evilgnome/" rel="tag">EvilGnome</a> <a href="https://www.intezer.com/tag/gamaredon-group/" rel="tag">Gamaredon Group</a> <a href="https://www.intezer.com/tag/linux/" rel="tag">Linux</a> <a href="https://www.intezer.com/tag/malware/" rel="tag">malware</a> <a href="https://www.intezer.com/tag/malware-analysis/" rel="tag">Malware Analysis</a> <a href="https://www.intezer.com/tag/research/" rel="tag">Research</a> <a href="https://www.intezer.com/tag/russia/" rel="tag">Russia</a></div><nav class="post-nav clearfix"><div class="prev-post"><a href="https://www.intezer.com/blog/malware-analysis/seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers/" rel="prev"></a><div class="post-link clear"><h4><a href="https://www.intezer.com/blog/malware-analysis/seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers/" rel="prev">How We Seized 15 Active Ransomware Campaigns Targeting Linux File Storage Servers</a></h4></div></div><div class="next-post"><a href="https://www.intezer.com/blog/malware-analysis/watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/" rel="next"></a><div class="post-link clear"><h4><a href="https://www.intezer.com/blog/malware-analysis/watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/" rel="next">Watching the WatchBog: New BlueKeep Scanner and Linux Exploits</a></h4></div></div></nav>        <div class="related-posts">
            <h3>Recomended Articles</h3>
            <ul class="row related-cont">
                    	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/malware-analysis/the-role-of-malware-analysis-in-cybersecurity/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/11/mwrpic-253x139.png" alt="The Role of Malware Analysis in Cybersecurity" class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 3</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/malware-analysis/the-role-of-malware-analysis-in-cybersecurity/">The Role of Malware Analysis in Cybersecurity</a>
                    </h4>
					
						
				                    <span class="post-excerpt">Threat actors use malicious software to cause damage to individuals and organizations. Malware is...</span>	
                    <span class="post-date">22 December 2021</span>
        		</li>
        	        	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/malware-analysis/save-incident-response-time-intezer-analyze/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/08/BlogImage1024x475-2-253x139.png" alt="Save Incident Response Time" class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 6</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/malware-analysis/save-incident-response-time-intezer-analyze/">Save Incident Response Time</a>
                    </h4>
					
						
				                    <span class="post-excerpt">When there is suspicious activity on an endpoint, the incident response team is responsible...</span>	
                    <span class="post-date">7 December 2021</span>
        		</li>
        	        	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/malware-analysis/all-your-go-binaries-are-belong-to-us/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/GoReport_Twitter_1024x475_v3-253x139.png" alt="All Your Go Binaries are Belong to Us" class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 11</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/malware-analysis/all-your-go-binaries-are-belong-to-us/">All Your Go Binaries are Belong to Us</a>
                    </h4>
					
						
				                    <span class="post-excerpt">The skillset of performing binary analysis may to some appear to be limited to...</span>	
                    <span class="post-date">2 December 2021</span>
        		</li>
        	            </ul>
        </div>
</div></div><div class="col-md-1"></div></div>
		    </div>
			
		

		   

				
				
	    </div>
		

    </div>

<script>

	
$(document).ready(function() {
	$('.form-title').val('Subscribe to Blog Side');
	    $('div.single-post-page').find('a').addClass('blog-text-link');
	 $( "div.btn-sub-show" ).click(function() {
$("div.blog-side-subscribe").addClass("show");
 
});

		
		 var blogbtn = $('div.btn-sub-show').offset();

    var $window = $(window);
        if ( $window.scrollTop() >= blogbtn.top - 100) {
            $("div.side-blog-btn").addClass("fixed");
            $("div.side-blog-share").addClass("fixed");
			$("div.blog-side-subscribe").addClass("fixed");
			$("div.btn-sub-show").addClass("fixed");
        }
else if( $window.scrollTop() < blogbtn.top - 100){
          $("div.side-blog-btn").removeClass("fixed");
          $("div.side-blog-share").removeClass("fixed");
		$("div.blog-side-subscribe").removeClass("fixed");
		$("div.btn-sub-show").removeClass("fixed");
$("div.blog-side-subscribe").removeClass("show");
        }
    
    $window.scroll(function() {
        if ( $window.scrollTop() >= blogbtn.top - 100) {
            $("div.side-blog-btn").addClass("fixed");
            $("div.side-blog-share").addClass("fixed");
			$("div.blog-side-subscribe").addClass("fixed");
			$("div.btn-sub-show").addClass("fixed");
        }
else if( $window.scrollTop() < blogbtn.top - 100){
          $("div.side-blog-btn").removeClass("fixed");
          $("div.side-blog-share").removeClass("fixed");
		$("div.blog-side-subscribe").removeClass("fixed");
		$("div.btn-sub-show").removeClass("fixed");
	$("div.blog-side-subscribe").removeClass("show");
        }
		
    });			
});  
   

    </script>
<footer>
            <div class="container">
                <div class="row">
					<div class="footer-logo-cont"><img src="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/images/intezer-logo-b.png" alt="intezer footer logo" title="" class="footer-logo">
						<div class="social footer-right">
                            <ul>
<li><a href="https://www.youtube.com/channel/UCt5L5ztHh-C1NCKa6bKjXFQ?view_as=subscriber" target="_blank"><i class="fa fa-youtube" aria-hidden="true" title="youtube"></i></a></li>
								<li><a href="https://www.facebook.com/IntezerLabs/" target="_blank"><i class="fa fa-facebook" aria-hidden="true" title="facebook"></i></a></li>
								 <li><a href="https://www.linkedin.com/company/intezer-labs" target="_blank"><i class="fa fa-linkedin" aria-hidden="true" title="Linkedin"></i></a></li>
                                <li><a href="https://twitter.com/intezerlabs" target="_blank"><i class="fa fa-twitter" aria-hidden="true" title="twitter"></i></a></li>
 								<li><a href="https://www.intezer.com/rss-feed/"><i class="fa fa-rss" aria-hidden="true" title="RSS"></i></a></li>
                            </ul>
                        </div>
					
					</div>

                    <div class="footer-left">
						
                        <ul id="menu-footer-1" class="footer-1"><li id="menu-item-20981" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20981 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Solutions </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-1453" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-1453 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-analyze/">Analyze</a></li>
	<li id="menu-item-12276" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-12276 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-protect/">Protect</a></li>
</ul>
</li>
<li id="menu-item-213" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-213 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Learn </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-15963" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor menu-item-15963 nav-item"><a class="nav-link" href="https://www.intezer.com/blog/">Blog</a></li>
	<li id="menu-item-2061" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-2061 nav-item"><a class="nav-link" href="https://www.intezer.com/resources/">Resources</a></li>
	<li id="menu-item-15892" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-15892 nav-item"><a class="nav-link" href="https://support.intezer.com/hc/en-us">Docs</a></li>
	<li id="menu-item-7244" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7244 nav-item"><a class="nav-link" href="https://www.intezer.com/why-intezer/">Why Intezer</a></li>
	<li id="menu-item-3098" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-3098 nav-item"><a class="nav-link" href="https://www.intezer.com/technology/">Technology</a></li>
	<li id="menu-item-21934" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21934 nav-item"><a class="nav-link" href="https://www.intezer.com/security/">Security</a></li>
</ul>
</li>
<li id="menu-item-20982" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20982 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Company </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-7169" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7169 nav-item"><a class="nav-link" href="https://www.intezer.com/partners/">Partners</a></li>
	<li id="menu-item-216" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-216 nav-item"><a class="nav-link" href="https://www.intezer.com/contact-us/">Contact Us</a></li>
	<li id="menu-item-215" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-215 nav-item"><a class="nav-link" href="https://www.intezer.com/about/">About</a></li>
	<li id="menu-item-7168" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7168 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-news/">News</a></li>
	<li id="menu-item-8418" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-8418 nav-item"><a class="nav-link" href="https://www.intezer.com/careers/">Careers</a></li>
	<li id="menu-item-7167" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7167 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-events/">Events</a></li>
</ul>
</li>
</ul>                    </div>
					
					
        
                </div>
            </div>
			
        </footer>
        <div id="credit">
            <div class="container">
                <div>
               
                © Intezer.com 2021 All rights reserved					 
                        <ul id="menu-footer-2" class="footer-2"><li id="menu-item-59" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-59"><a href="https://www.intezer.com/terms-of-use/">Terms of Use</a></li>
<li id="menu-item-222" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-privacy-policy menu-item-222"><a href="https://www.intezer.com/privacy/">Privacy Policy</a></li>
</ul>                        
                 
		
					
                </div> 
				
				
				
            </div>       
        </div>
        <!-- <div class="back-to-top">
            <a href="javascript:void(0);" id="return-to-top">
                <img src="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/images/uparrow.png"  width="40" height="40" />
            </a>
        </div> -->
        <script type="text/javascript">
	$(window).scroll(function() {
    var nav = $('#main-menu');
    var toppopheight = $('#top-bar-spacer').height();
    var top = 140;
    if ($(window).scrollTop() >= top) {
        nav.addClass('botborder');
		nav.css({ top: toppopheight });
    } else {
        nav.removeClass('botborder');
     nav.css({ top: 0 });
    }
});
</script>
	   <link rel='stylesheet' id='elementor-frontend-legacy-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/custom-frontend-legacy.min.css?ver=3.4.8' media='all' />
<link rel='stylesheet' id='elementor-frontend-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/custom-frontend.min.css?ver=1637134910' media='all' />
<style id='elementor-frontend-inline-css' type='text/css'>
@font-face{font-family:eicons;src:url(https://www.intezer.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.eot?5.10.0);src:url(https://www.intezer.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.eot?5.10.0#iefix) format("embedded-opentype"),url(https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.woff2?5.10.0) format("woff2"),url(https://www.intezer.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.woff?5.10.0) format("woff"),url(https://www.intezer.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.ttf?5.10.0) format("truetype"),url(https://www.intezer.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.svg?5.10.0#eicon) format("svg");font-weight:400;font-style:normal}
</style>
<link rel='stylesheet' id='elementor-post-16929-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/post-16929.css?ver=1637134911' media='all' />
<link rel='stylesheet' id='elementor-post-17075-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/post-17075.css?ver=1637134911' media='all' />
<link rel='stylesheet' id='elementor-icons-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/lib/eicons/css/elementor-icons.min.css?ver=5.13.0' media='all' />
<link rel='stylesheet' id='elementor-post-8921-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/post-8921.css?ver=1637134912' media='all' />
<link rel='stylesheet' id='elementor-pro-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/custom-pro-frontend.min.css?ver=1637134912' media='all' />
<link rel='stylesheet' id='e-animations-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/lib/animations/animations.min.css?ver=3.4.8' media='all' />
<link rel='stylesheet' id='google-fonts-1-css'  href='https://fonts.googleapis.com/css?family=Roboto%3A100%2C100italic%2C200%2C200italic%2C300%2C300italic%2C400%2C400italic%2C500%2C500italic%2C600%2C600italic%2C700%2C700italic%2C800%2C800italic%2C900%2C900italic%7CRoboto+Slab%3A100%2C100italic%2C200%2C200italic%2C300%2C300italic%2C400%2C400italic%2C500%2C500italic%2C600%2C600italic%2C700%2C700italic%2C800%2C800italic%2C900%2C900italic&#038;display=auto&#038;ver=0aeebf0e297002559f8cf4ab5cad896d' media='all' />
<script type='text/javascript' src='https://c0.wp.com/c/5.8.2/wp-includes/js/dist/vendor/regenerator-runtime.min.js' id='regenerator-runtime-js'></script>
<script type='text/javascript' src='https://c0.wp.com/c/5.8.2/wp-includes/js/dist/vendor/wp-polyfill.min.js' id='wp-polyfill-js'></script>
<script type='text/javascript' id='contact-form-7-js-extra'>
/* <![CDATA[ */
var wpcf7 = {"api":{"root":"https:\/\/www.intezer.com\/wp-json\/","namespace":"contact-form-7\/v1"},"cached":"1"};
/* ]]> */
</script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.5.2' id='contact-form-7-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/dynamicconditions/Public/js/dynamic-conditions-public.js?ver=1.5.1' id='dynamic-conditions-js'></script>
<script type='text/javascript' id='leadin-script-loader-js-js-extra'>
/* <![CDATA[ */
var leadin_wordpress = {"userRole":"visitor","pageType":"post","leadinPluginVersion":"8.4.329"};
/* ]]> */
</script>
<script type='text/javascript' src='https://js.hs-scripts.com/5492986.js?integration=WordPress' async defer id='hs-script-loader'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/tether.min.js?ver=0aeebf0e297002559f8cf4ab5cad896d' id='tether_js-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/bootstrap.min.js?ver=0aeebf0e297002559f8cf4ab5cad896d' id='bootstrap_js-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/main.js?ver=0aeebf0e297002559f8cf4ab5cad896d' id='intezer-main-scripts-js'></script>
<script type='text/javascript' src='https://c0.wp.com/c/5.8.2/wp-includes/js/dist/hooks.min.js' id='wp-hooks-js'></script>
<script type='text/javascript' id='wpdreams-ajaxsearchlite-js-before'>
window.ASL = typeof window.ASL !== 'undefined' ? window.ASL : {}; window.ASL.wp_rocket_exception = "DOMContentLoaded"; window.ASL.ajaxurl = "https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"; window.ASL.backend_ajaxurl = "https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"; window.ASL.js_scope = "jQuery"; window.ASL.detect_ajax = 0; window.ASL.scrollbar = true; window.ASL.js_retain_popstate = 0; window.ASL.version = 4750; window.ASL.min_script_src = ["https:\/\/www.intezer.com\/wp-content\/plugins\/ajax-search-lite\/js\/min\/jquery.ajaxsearchlite.min.js"]; window.ASL.highlight = {"enabled":false,"data":[]}; window.ASL.fix_duplicates = 1; window.ASL.analytics = {"method":0,"tracking_id":"","string":"?ajax_search={asl_term}","event":{"focus":{"active":1,"action":"focus","category":"ASL","label":"Input focus","value":"1"},"search_start":{"active":0,"action":"search_start","category":"ASL","label":"Phrase: {phrase}","value":"1"},"search_end":{"active":1,"action":"search_end","category":"ASL","label":"{phrase} | {results_count}","value":"1"},"magnifier":{"active":1,"action":"magnifier","category":"ASL","label":"Magnifier clicked","value":"1"},"return":{"active":1,"action":"return","category":"ASL","label":"Return button pressed","value":"1"},"facet_change":{"active":0,"action":"facet_change","category":"ASL","label":"{option_label} | {option_value}","value":"1"},"result_click":{"active":1,"action":"result_click","category":"ASL","label":"{result_title} | {result_url}","value":"1"}}};
</script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/js/min/jquery.ajaxsearchlite.min.js?ver=4.9.5' id='wpdreams-ajaxsearchlite-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-lazy-images/dist/intersection-observer.js?minify=false&#038;ver=2d4bf43f398489795f1893179047a63c' id='jetpack-lazy-images-polyfill-intersectionobserver-js'></script>
<script type='text/javascript' id='jetpack-lazy-images-js-extra'>
/* <![CDATA[ */
var jetpackLazyImagesL10n = {"loading_warning":"Images are still loading. Please cancel your print and try again."};
/* ]]> */
</script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-lazy-images/dist/lazy-images.js?minify=false&#038;ver=1c8bb5930b723e669774487342a8fa98' id='jetpack-lazy-images-js'></script>
<script type='text/javascript' id='wpcf7cf-scripts-js-extra'>
/* <![CDATA[ */
var wpcf7cf_global_settings = {"ajaxurl":"https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"};
/* ]]> */
</script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/cf7-conditional-fields/js/scripts.js?ver=2.0.7' id='wpcf7cf-scripts-js'></script>
<script type='text/javascript' src='https://www.google.com/recaptcha/api.js?render=6LewXc8UAAAAADEYz8dYpHTk55uH2MjKqbyc1sXD&#038;ver=3.0' id='google-recaptcha-js'></script>
<script type='text/javascript' id='wpcf7-recaptcha-js-extra'>
/* <![CDATA[ */
var wpcf7_recaptcha = {"sitekey":"6LewXc8UAAAAADEYz8dYpHTk55uH2MjKqbyc1sXD","actions":{"homepage":"homepage","contactform":"contactform"}};
/* ]]> */
</script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/modules/recaptcha/index.js?ver=5.5.2' id='wpcf7-recaptcha-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.min.js?ver=3.5.1' id='elementor-pro-webpack-runtime-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/js/webpack.runtime.min.js?ver=3.4.8' id='elementor-webpack-runtime-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/js/frontend-modules.min.js?ver=3.4.8' id='elementor-frontend-modules-js'></script>
<script type='text/javascript' id='elementor-pro-frontend-js-before'>
var ElementorProFrontendConfig = {"ajaxurl":"https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php","nonce":"fa597ce5a5","urls":{"assets":"https:\/\/www.intezer.com\/wp-content\/plugins\/elementor-pro\/assets\/","rest":"https:\/\/www.intezer.com\/wp-json\/"},"i18n":{"toc_no_headings_found":"No headings were found on this page."},"shareButtonsNetworks":{"facebook":{"title":"Facebook","has_counter":true},"twitter":{"title":"Twitter"},"linkedin":{"title":"LinkedIn","has_counter":true},"pinterest":{"title":"Pinterest","has_counter":true},"reddit":{"title":"Reddit","has_counter":true},"vk":{"title":"VK","has_counter":true},"odnoklassniki":{"title":"OK","has_counter":true},"tumblr":{"title":"Tumblr"},"digg":{"title":"Digg"},"skype":{"title":"Skype"},"stumbleupon":{"title":"StumbleUpon","has_counter":true},"mix":{"title":"Mix"},"telegram":{"title":"Telegram"},"pocket":{"title":"Pocket","has_counter":true},"xing":{"title":"XING","has_counter":true},"whatsapp":{"title":"WhatsApp"},"email":{"title":"Email"},"print":{"title":"Print"}},"facebook_sdk":{"lang":"en_US","app_id":""},"lottie":{"defaultAnimationUrl":"https:\/\/www.intezer.com\/wp-content\/plugins\/elementor-pro\/modules\/lottie\/assets\/animations\/default.json"}};
</script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor-pro/assets/js/frontend.min.js?ver=3.5.1' id='elementor-pro-frontend-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/lib/waypoints/waypoints.min.js?ver=4.0.2' id='elementor-waypoints-js'></script>
<script type='text/javascript' src='https://c0.wp.com/c/5.8.2/wp-includes/js/jquery/ui/core.min.js' id='jquery-ui-core-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/lib/swiper/swiper.min.js?ver=5.3.6' id='swiper-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/lib/share-link/share-link.min.js?ver=3.4.8' id='share-link-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/lib/dialog/dialog.min.js?ver=4.8.1' id='elementor-dialog-js'></script>
<script type='text/javascript' id='elementor-frontend-js-before'>
var elementorFrontendConfig = {"environmentMode":{"edit":false,"wpPreview":false,"isScriptDebug":false},"i18n":{"shareOnFacebook":"Share on Facebook","shareOnTwitter":"Share on Twitter","pinIt":"Pin it","download":"Download","downloadImage":"Download image","fullscreen":"Fullscreen","zoom":"Zoom","share":"Share","playVideo":"Play Video","previous":"Previous","next":"Next","close":"Close"},"is_rtl":false,"breakpoints":{"xs":0,"sm":480,"md":768,"lg":1140,"xl":1440,"xxl":1600},"responsive":{"breakpoints":{"mobile":{"label":"Mobile","value":767,"default_value":767,"direction":"max","is_enabled":true},"mobile_extra":{"label":"Mobile Extra","value":880,"default_value":880,"direction":"max","is_enabled":false},"tablet":{"label":"Tablet","value":1139,"default_value":1024,"direction":"max","is_enabled":true},"tablet_extra":{"label":"Tablet Extra","value":1200,"default_value":1200,"direction":"max","is_enabled":false},"laptop":{"label":"Laptop","value":1366,"default_value":1366,"direction":"max","is_enabled":false},"widescreen":{"label":"Widescreen","value":2400,"default_value":2400,"direction":"min","is_enabled":false}}},"version":"3.4.8","is_static":false,"experimentalFeatures":{"e_import_export":true,"theme_builder_v2":true,"landing-pages":true,"elements-color-picker":true,"admin-top-bar":true,"form-submissions":true},"urls":{"assets":"https:\/\/www.intezer.com\/wp-content\/plugins\/elementor\/assets\/"},"settings":{"page":[],"editorPreferences":[]},"kit":{"viewport_tablet":1139,"active_breakpoints":["viewport_mobile","viewport_tablet"],"lightbox_enable_fullscreen":"yes","lightbox_title_src":"title","lightbox_description_src":"description"},"post":{"id":5223,"title":"EvilGnome%3A%20Rare%20Malware%20Spying%20on%20Linux%20Desktop%20Users%20%E2%80%93%20Intezer","excerpt":"","featuredImage":"https:\/\/www.intezer.com\/wp-content\/uploads\/2019\/07\/garden-gnome-523380_1920-1024x680.jpg"}};
</script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.4.8' id='elementor-frontend-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor-pro/assets/js/preloaded-elements-handlers.min.js?ver=3.5.1' id='pro-preloaded-elements-handlers-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/js/preloaded-modules.min.js?ver=3.4.8' id='preloaded-modules-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor-pro/assets/lib/sticky/jquery.sticky.min.js?ver=3.5.1' id='e-sticky-js'></script>
<script type="text/javascript" id="slb_context">/* <![CDATA[ */if ( !!window.jQuery ) {(function($){$(document).ready(function(){if ( !!window.SLB ) { {$.extend(SLB, {"context":["public","user_guest"]});} }})})(jQuery);}/* ]]> */</script>
		<script type="text/javascript">
			(function() {
			var t   = document.createElement( 'script' );
			t.type  = 'text/javascript';
			t.async = true;
			t.id    = 'gauges-tracker';
			t.setAttribute( 'data-site-id', '5fd5ade352684d3c97554910' );
			t.src = '//secure.gaug.es/track.js';
			var s = document.getElementsByTagName( 'script' )[0];
			s.parentNode.insertBefore( t, s );
			})();
		</script>
		<script src='https://stats.wp.com/e-202151.js' defer></script>
<script>
	_stq = window._stq || [];
	_stq.push([ 'view', {v:'ext',j:'1:10.5-a.3',blog:'186808338',post:'5223',tz:'0',srv:'www.intezer.com'} ]);
	_stq.push([ 'clickTrackerInit', '186808338', '5223' ]);
</script>
        <!-- Google Remarketing -->
        <script type="text/javascript"> /* <![CDATA[ */ var google_conversion_id = 842858921; var google_custom_params = window.google_tag_params; var google_remarketing_only = true; /* ]]> */ </script> <script type="text/javascript" src="//www.googleadservices.com/pagead/conversion.js"> </script> <noscript> <div style="display:inline;"> <img height="1" width="1" style="border-style:none;" alt="" src="//googleads.g.doubleclick.net/pagead/viewthroughconversion/842858921/?guid=ON&amp;script=0"/> </div> </noscript>
<!-- Start of HubSpot Embed Code -->
<script type="text/javascript" id="hs-script-loader" async defer src="//js.hs-scripts.com/5492986.js"></script>
<!-- End of HubSpot Embed Code -->
  
              

    </body>
</html>
<!--
	generated in 0.767 seconds
	171731 bytes batcached for 300 seconds
-->
